From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/86776
Path: news.gmane.org!not-for-mail
From: Jochen Hein <jochen@jochen.org>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: gssapi authentication for nnimap
Date: Sun, 07 Feb 2016 18:16:35 +0100
Message-ID: <83a8ncfnkc.fsf@echidna.jochen.org>
References: <87oaecan6t.fsf@mid.deneb.enyo.de> <87d1sanxyx.fsf@gnus.org>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1454871305 1197 80.91.229.3 (7 Feb 2016 18:55:05 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sun, 7 Feb 2016 18:55:05 +0000 (UTC)
Cc: Florian Weimer <fw@deneb.enyo.de>, ding@gnus.org
To: Lars Ingebrigtsen <larsi@gnus.org>
Original-X-From: ding-owner+M35001@lists.math.uh.edu Sun Feb 07 19:54:54 2016
Return-path: <ding-owner+M35001@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from lists1.math.uh.edu ([129.7.128.208])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M35001@lists.math.uh.edu>)
	id 1aSUU0-000391-9m
	for ding-account@gmane.org; Sun, 07 Feb 2016 19:54:52 +0100
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by lists1.math.uh.edu with smtp (Exim 4.85)
	(envelope-from <ding-owner+M35001@lists.math.uh.edu>)
	id 1aSUTj-0002R0-1o; Sun, 07 Feb 2016 12:54:35 -0600
Original-Received: from mx2.math.uh.edu ([129.7.128.33])
	by lists1.math.uh.edu with esmtps (TLSv1.2:AES128-GCM-SHA256:128)
	(Exim 4.85)
	(envelope-from <jochen@jochen.org>)
	id 1aST0c-0001eb-03
	for ding@lists.math.uh.edu; Sun, 07 Feb 2016 11:20:26 -0600
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx2.math.uh.edu with esmtps (TLSv1.2:DHE-RSA-AES128-SHA:128)
	(Exim 4.85)
	(envelope-from <jochen@jochen.org>)
	id 1aST0X-0007Qs-7u
	for ding@lists.math.uh.edu; Sun, 07 Feb 2016 11:20:25 -0600
Original-Received: from smtp.dinoex.de ([188.40.204.4] ident=root)
	by quimby.gnus.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
	(Exim 4.80)
	(envelope-from <jochen@jochen.org>)
	id 1aST0V-00067C-1v; Sun, 07 Feb 2016 18:20:19 +0100
Original-Received: from smtp.dinoex.de (uucp@smtp.dinoex.de [188.40.204.4])
	by smtp.dinoex.de (8.15.2/8.15.1) with ESMTPS id u17HK4m3054947
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
	Sun, 7 Feb 2016 18:20:05 +0100 (CET)
	(envelope-from jochen@jochen.org)
Original-Received: (from uucp@localhost)
	by smtp.dinoex.de (8.15.2/8.15.1/Submit) with UUCP id u17HK4Wt054946;
	Sun, 7 Feb 2016 18:20:04 +0100 (CET)
	(envelope-from jochen@jochen.org)
Original-Received: from echidna.jochen.org (echidna.jochen.org [IPv6:fd23:e163:19f7:1234:222:4dff:fe7c:d76a])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by jupiter.jochen.org (Postfix) with ESMTPSA id 0382A16F;
	Sun,  7 Feb 2016 18:16:35 +0100 (CET)
X-Message-Flag: This space is intentionally left blank
In-Reply-To: <87d1sanxyx.fsf@gnus.org> (Lars Ingebrigtsen's message of "Sat,
	06 Feb 2016 17:40:06 +1100")
User-Agent: Gnus/5.130013 (Ma Gnus v0.13) Emacs/24.4 (gnu/linux)
X-Milter: Spamilter (Reciever: smtp.dinoex.de; Sender-ip: 188.40.204.4; Sender-helo: smtp.dinoex.de;)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (smtp.dinoex.de [188.40.204.4]); Sun, 07 Feb 2016 18:20:06 +0100 (CET)
X-Spam-Score: -1.9 (-)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:86776
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/86776>

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Florian Weimer <fw@deneb.enyo.de> writes:
>
>> In the past, it was possible to authenticate to an IMAP server using
>> GSSAPI (over a TLS connection).  This enabled me to use an active
>> Kerberos ticket to authenticate to a Zimbra email server.  The old way
>> of configuring this no longer works.  Is there a replacement?
>
> I think somebody was working on this?  But I don't recall what the
> outcome was.  Anybody remember?

I've recently tried it.  The following worked for me:

(setq gnus-secondary-select-methods
      '((nnml "private")
              (nnimap "jochen@jochen.org"
                (nnimap-expunge t)
                (nnimap-stream shell)
                (nnimap-shell-program "echo -e '* PREAUTH\r\n'; imtest %s %p -m GSSAPI")
                (nnimap-address "imap.jochen.org"))
...

We should remove references in the gnus manual to gssapi or reference
nnimap-shell-program.  I'm not sure that the following gssapi options
would be still useful:

    `:stream'
              What stream to use for connecting to the server, this is one
              of the symbols in `imap-stream-alist'.  Right now, this means
              `gssapi', `kerberos4', `starttls', `tls', `ssl', `shell' or
              the default `network'.

    `:authentication'
              Which authenticator to use for authenticating to the server,
              this is one of the symbols in `imap-authenticator-alist'.
              Right now, this means `gssapi', `kerberos4', `digest-md5',
              `cram-md5', `anonymous' or the default `login'.

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.