Re: [PATCH] GSSAPI authentication for nnimap

Gnus development mailing list
 help / color / mirror / Atom feed

From: Jochen Hein <jochen@jochen.org>
To: Lars Ingebrigtsen <larsi@gnus.org>
Cc: Andreas Schwab <schwab@linux-m68k.org>,
	ding@gnus.org, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: [PATCH] GSSAPI authentication for nnimap
Date: Sat, 13 Feb 2016 11:30:25 +0100	[thread overview]
Message-ID: <838u2onbr2.fsf@echidna.jochen.org> (raw)
In-Reply-To: <87oablkss4.fsf@gnus.org> (Lars Ingebrigtsen's message of "Sat, 13 Feb 2016 17:50:51 +1100")

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Jochen Hein <jochen@jochen.org> writes:
>
>> The following patches add GSSAPI support to nnimap.  I'll comment what I
>> did and why above each patch.  I'm currently cloning the emacs
>> repository and I hope to forward port the patches and add/adapt the
>> documentation accordingly.
>
> Great!

Except that nnimap didn't work for me at all - I'll have a look, but
might want to wait after the cleanup frenzy is over :-)  I've also seem
some fixes already...

While you're at it - it might be a good idea to move starttls.el and
gssapi.el from lisp/gnus to lisp/net.  Both are used by
network-stream.el.  tls.el is already there.

There's also net/imap.el - which also claims to handle GSSAPI.  I have
no idea if that's in use anywhere.

>> I currently know of one difference between gsasl and imtest: connections
>> with gsasl use TLS, imtest doesn't.  If we want that, we can add '-t ""'
>> to the imtest call according to the imtest manpage:
>>
>>        -t keyfile
>>                      Enable TLS.  keyfile contains the TLS public and
>>                      private keys.  Specify "" to negotiate a TLS
>>                      encryption layer but not use TLS authentication.
>>
>> Another option could be to handle STARTTLS in
>> network-stream-open-gssapi.  For my usecase I'll use gsasl, so I've not
>> added code for that.
>
> Hm...  it would have been nice if this all went through our normal TLS
> functions, so that the user could be given the opportunity to use the
> network security manager in Emacs, which handles certificate errors and
> the like.  So I think it would be very nice if
> network-stream-open-gssapi handled TLS itself.

That might not work with the current approach:

$ imtest -m gssapi -p imap imap
...
. STARTTLS
. BAD Can't Starttls after authentication

On the other hand I expect that someone doing Single-Sign-On with his
mail server will also have the right SSL-certificates in place.  For
example, both my server and client have been added to a FreeIPA domain.
So I currently contemplate to add '-t ""' to the imtest command in
gssapi.el, because it matches my use case and we'd use STARTTLS in both
commands.  I think we've reached a time where TLS should be enabled by
default.

In list/net I've found sasl*.el - that doesn't do GSSAPI at all, but it
could possibly be implemented there.  But I expect that this is beyond
my minimal elisp skill, so that's something to explore much later.

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

next prev parent reply	other threads:[~2016-02-13 10:30 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-29 14:35 gssapi " Florian Weimer
2016-02-06  6:40 ` Lars Ingebrigtsen
2016-02-07 17:16   ` Jochen Hein
2016-02-08  5:23     ` Lars Ingebrigtsen
2016-02-08  9:51       ` Jochen Hein
2016-02-08 20:59       ` Jochen Hein
2016-02-08 21:51         ` Andreas Schwab
2016-02-08 23:21           ` Jochen Hein
2016-02-08 23:47             ` Andreas Schwab
2016-02-09  6:22               ` Jochen Hein
2016-02-09 20:05                 ` Jochen Hein
2016-02-09 23:31                   ` Lars Ingebrigtsen
2016-02-10  4:16                     ` Jochen Hein
2016-02-10  4:23                       ` Lars Ingebrigtsen
2016-02-10  4:30                       ` Lars Ingebrigtsen
2016-02-10  4:42                         ` Jochen Hein
2016-02-10  4:50                           ` Lars Ingebrigtsen
2016-02-10 21:37                     ` Jochen Hein
2016-02-11 19:51                     ` [PATCH] GSSAPI " Jochen Hein
2016-02-13  6:50                       ` Lars Ingebrigtsen
2016-02-13 10:30                         ` Jochen Hein [this message]
2016-02-14  2:25                           ` Lars Ingebrigtsen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=838u2onbr2.fsf@echidna.jochen.org \
    --to=jochen@jochen.org \
    --cc=ding@gnus.org \
    --cc=fw@deneb.enyo.de \
    --cc=larsi@gnus.org \
    --cc=schwab@linux-m68k.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).