From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/86798 Path: news.gmane.org!not-for-mail From: Jochen Hein Newsgroups: gmane.emacs.gnus.general Subject: Re: gssapi authentication for nnimap Date: Mon, 08 Feb 2016 21:59:37 +0100 Message-ID: <831t8mgbpi.fsf@echidna.jochen.org> References: <87oaecan6t.fsf@mid.deneb.enyo.de> <87d1sanxyx.fsf@gnus.org> <83a8ncfnkc.fsf@echidna.jochen.org> <8737t3g4hk.fsf@gnus.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1454965338 15674 80.91.229.3 (8 Feb 2016 21:02:18 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 8 Feb 2016 21:02:18 +0000 (UTC) Cc: Lars Ingebrigtsen , Florian Weimer To: ding@gnus.org Original-X-From: ding-owner+M35023@lists.math.uh.edu Mon Feb 08 22:02:08 2016 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from lists1.math.uh.edu ([129.7.128.208]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1aSswh-0001pu-HR for ding-account@gmane.org; Mon, 08 Feb 2016 22:02:07 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by lists1.math.uh.edu with smtp (Exim 4.85) (envelope-from ) id 1aSsvv-00053s-C0; Mon, 08 Feb 2016 15:01:19 -0600 Original-Received: from mx1.math.uh.edu ([129.7.128.32]) by lists1.math.uh.edu with esmtps (TLSv1.2:AES128-GCM-SHA256:128) (Exim 4.85) (envelope-from ) id 1aSsvs-00053I-0U for ding@lists.math.uh.edu; Mon, 08 Feb 2016 15:01:16 -0600 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx1.math.uh.edu with esmtps (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from ) id 1aSsvn-0002QG-M2 for ding@lists.math.uh.edu; Mon, 08 Feb 2016 15:01:15 -0600 Original-Received: from smtp.dinoex.de ([188.40.204.4] ident=root) by quimby.gnus.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1aSsvM-0002Tc-DL; Mon, 08 Feb 2016 22:00:51 +0100 Original-Received: from smtp.dinoex.de (uucp@smtp.dinoex.de [188.40.204.4]) by smtp.dinoex.de (8.15.2/8.15.1) with ESMTPS id u18L09Xo033853 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 8 Feb 2016 22:00:10 +0100 (CET) (envelope-from jochen@jochen.org) Original-Received: (from uucp@localhost) by smtp.dinoex.de (8.15.2/8.15.1/Submit) with UUCP id u18L09fX033852; Mon, 8 Feb 2016 22:00:09 +0100 (CET) (envelope-from jochen@jochen.org) Original-Received: from echidna.jochen.org (echidna.jochen.org [IPv6:fd23:e163:19f7:1234:222:4dff:fe7c:d76a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by jupiter.jochen.org (Postfix) with ESMTPSA id B53A01BD; Mon, 8 Feb 2016 21:59:37 +0100 (CET) X-Message-Flag: This space is intentionally left blank User-Agent: Gnus/5.130015 (Ma Gnus v0.15) Emacs/24.4 (gnu/linux) X-Milter: Spamilter (Reciever: smtp.dinoex.de; Sender-ip: 188.40.204.4; Sender-helo: smtp.dinoex.de;) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (smtp.dinoex.de [188.40.204.4]); Mon, 08 Feb 2016 22:00:11 +0100 (CET) X-Spam-Score: -1.9 (-) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:86798 Archived-At: Lars Ingebrigtsen writes: > We do still have the gssapi.el file, so we could presumably get this > stuff working again, if somebody with access to a server that uses > gssapi could hack away at it a bit... I've tried to follow thru the twisted maze of functions, but was not successful. First, let's start with a log using gsasl to connect to my imap server with telnet: $ telnet imap.jochen.org imap Trying fd23:e163:19f7:1234:216:3eff:feef:b5d4... Connected to jupiter.jochen.org. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=GSSAPI SASL-IR] jupiter.jochen.org Cyrus IMAP git2.5+0-Debian-2.5~dev2015021301-0~kolab2 server ready My server advertises both STARTTLS and AUTH=GSSAPI - I can use STARTTLS and password authentication or GSSAPI. Let's try with gsasl (with LANG=C, so the last two lines are not translated): $ LANG=C gsasl imap.jochen.org imap --mechanism=GSSAPI --authentication-id=jochen@JOCHEN.ORG Trying 'jupiter.jochen.org'... * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED AUTH=GSSAPI SASL-IR] jupiter.jochen.org Cyrus IMAP git2.5+0-Debian-2.5~dev2015021301-0~kolab2 server ready . CAPABILITY * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY STARTTLS LOGINDISABLED AUTH=GSSAPI SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE . OK Completed . STARTTLS . OK Begin TLS negotiation now . CAPABILITY * CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI SASL-IR COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE . OK Completed . AUTHENTICATE GSSAPI + YII...[lotsmorebas64]...EOsDQ== + YIG...[againbase64]...k+V86o= + BQQF/wAMAAAAAAAA...HRui4A= BQQE/wAMAAAAAAAA.....YYR+jKQ3/PncQ== . OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY LOGINDISABLED COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE] Success (tls protection) SESSIONID= Client authentication finished (server trusted)... Enter application data (EOF to finish): So my guess is that we only need to start gsasl and get a session with STARTTLS and authenticated with GSSAPI. Nice. Using imtest with the options defined in gssapi.el gives me a non-TLS session - at least I don't see any STARTTLS. So the basic commands from gssapi.el seem to work nicely. The only function in that file is open-gssapi-stream, so, how get I gnus to call that function? In https://lists.gnu.org/archive/html/info-gnus-english/2012-06/msg00009.html there's a diff, that uses nnimap-authenticator. Is that the right option to use, or would be nnimap-stream better? Anyway, I've modified that diff like that: diff --git a/lisp/nnimap.el b/lisp/nnimap.el index 05251ed..aba48f3 100644 --- a/lisp/nnimap.el +++ b/lisp/nnimap.el @@ -65,7 +65,7 @@ it will default to `imap'.") (defvoo nnimap-stream 'undecided "How nnimap talks to the IMAP server. The value should be either `undecided', `ssl' or `tls', -`network', `starttls', `plain', or `shell'. +`network', `starttls', `plain', `gssapi' or `shell'. If the value is `undecided', nnimap tries `ssl' first, then falls back on `network'.") @@ -408,6 +408,10 @@ textual parts.") (nnheader-message 7 "Opening connection to %s via shell..." nnimap-address) '("imap")) + ((eq nnimap-stream 'gssapi) + (nnheader-message 7 "jk:Opening connection to %s via GSSAPI..." + nnimap-address) + '("imap")) ((memq nnimap-stream '(ssl tls)) (nnheader-message 7 "Opening connection to %s via tls..." nnimap-address) @@ -417,22 +421,26 @@ textual parts.") login-result credentials) (when nnimap-server-port (push nnimap-server-port ports)) - (let* ((stream-list - (open-protocol-stream - "*nnimap*" (current-buffer) nnimap-address - (nnimap-map-port (car ports)) - :type nnimap-stream - :warn-unless-encrypted t - :return-list t - :shell-command nnimap-shell-program - :capability-command "1 CAPABILITY\r\n" - :always-query-capabilities t - :end-of-command "\r\n" - :success " OK " - :starttls-function - (lambda (capabilities) - (when (gnus-string-match-p "STARTTLS" capabilities) - "1 STARTTLS\r\n")))) + (let* ((stream-list + (if (eq nnimap-stream 'gssapi) + (open-protocol-stream + "*nnimap*" (current-buffer) nnimap-address + (nnimap-map-port (car ports)) nnimap-user) + (open-protocol-stream + "*nnimap*" (current-buffer) nnimap-address + (nnimap-map-port (car ports)) + :type nnimap-stream + :warn-unless-encrypted t + :return-list t + :shell-command nnimap-shell-program + :capability-command "1 CAPABILITY\r\n" + :always-query-capabilities t + :end-of-command "\r\n" + :success " OK " + :starttls-function + (lambda (capabilities) + (when (gnus-string-match-p "STARTTLS" capabilities) + "1 STARTTLS\r\n"))))) (stream (car stream-list)) (props (cdr stream-list)) (greeting (plist-get props :greeting)) Now I get: Warning: Opening nnimap server on jochen@jochen.org...failed: ; Unable to open server nnimap+jochen@jochen.org due to: Wrong type argument: listp, # Any idea how to wire that all together? My limited lisp knowledge isn't really useful... Jochen -- The only problem with troubleshooting is that the trouble shoots back.