From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/86814 Path: news.gmane.org!not-for-mail From: Jochen Hein Newsgroups: gmane.emacs.gnus.general Subject: Re: gssapi authentication for nnimap Date: Tue, 09 Feb 2016 21:05:45 +0100 Message-ID: <83wpqd4pk6.fsf@echidna.jochen.org> References: <87oaecan6t.fsf@mid.deneb.enyo.de> <87d1sanxyx.fsf@gnus.org> <83a8ncfnkc.fsf@echidna.jochen.org> <8737t3g4hk.fsf@gnus.org> <831t8mgbpi.fsf@echidna.jochen.org> <87io1ykh0h.fsf@linux-m68k.org> <83vb5yhjpo.fsf@echidna.jochen.org> <87wpqeix2s.fsf@linux-m68k.org> <83zivammhs.fsf@echidna.jochen.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1455048720 22764 80.91.229.3 (9 Feb 2016 20:12:00 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 9 Feb 2016 20:12:00 +0000 (UTC) Cc: ding@gnus.org, Lars Ingebrigtsen , Florian Weimer To: Andreas Schwab Original-X-From: ding-owner+M35039@lists.math.uh.edu Tue Feb 09 21:11:48 2016 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from lists1.math.uh.edu ([129.7.128.208]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1aTEdW-0000c0-GA for ding-account@gmane.org; Tue, 09 Feb 2016 21:11:46 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by lists1.math.uh.edu with smtp (Exim 4.85) (envelope-from ) id 1aTEdH-0006tD-1L; Tue, 09 Feb 2016 14:11:31 -0600 Original-Received: from mx1.math.uh.edu ([129.7.128.32]) by lists1.math.uh.edu with esmtps (TLSv1.2:AES128-GCM-SHA256:128) (Exim 4.85) (envelope-from ) id 1aTEdE-0006sb-88 for ding@lists.math.uh.edu; Tue, 09 Feb 2016 14:11:28 -0600 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx1.math.uh.edu with esmtps (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from ) id 1aTEdC-0000cQ-8K for ding@lists.math.uh.edu; Tue, 09 Feb 2016 14:11:28 -0600 Original-Received: from smtp.dinoex.de ([188.40.204.4] ident=root) by quimby.gnus.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1aTEco-0001JN-4j; Tue, 09 Feb 2016 21:11:08 +0100 Original-Received: from smtp.dinoex.de (uucp@smtp.dinoex.de [188.40.204.4]) by smtp.dinoex.de (8.15.2/8.15.1) with ESMTPS id u19KA3iu085433 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 9 Feb 2016 21:10:04 +0100 (CET) (envelope-from jochen@jochen.org) Original-Received: (from uucp@localhost) by smtp.dinoex.de (8.15.2/8.15.1/Submit) with UUCP id u19KA3MD085432; Tue, 9 Feb 2016 21:10:03 +0100 (CET) (envelope-from jochen@jochen.org) Original-Received: from echidna.jochen.org (echidna.jochen.org [IPv6:fd23:e163:19f7:1234:222:4dff:fe7c:d76a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by jupiter.jochen.org (Postfix) with ESMTPSA id 9DCFA255; Tue, 9 Feb 2016 21:05:45 +0100 (CET) X-Message-Flag: This space is intentionally left blank In-Reply-To: <83zivammhs.fsf@echidna.jochen.org> (Jochen Hein's message of "Tue, 09 Feb 2016 07:22:23 +0100") User-Agent: Gnus/5.130015 (Ma Gnus v0.15) Emacs/24.4 (gnu/linux) X-Milter: Spamilter (Reciever: smtp.dinoex.de; Sender-ip: 188.40.204.4; Sender-helo: smtp.dinoex.de;) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (smtp.dinoex.de [188.40.204.4]); Tue, 09 Feb 2016 21:10:05 +0100 (CET) X-Spam-Score: -1.9 (-) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:86814 Archived-At: Jochen Hein writes: I've got a few steps further - I seem to be able to authenticate with GSSAPI. Here's what I've done right now: First the log from *Messages*: Opening nnimap server on jochen@jochen.org... jk:Opening connection to imap.jochen.org via GSSAPI... Opening GSSAPI connection with `gsasl %s %p --mechanism GSSAPI --authentication-id %l'... GSSAPI connection: Client authentication finished (server trusted)... YYY ... ZZZ ... Unable to open server nnimap+jochen@jochen.org due to: Wrong type argument: stringp, nil Opening nnimap server on jochen@jochen.org...failed: Right now I have the following diff to nnimap.el. The second hunk hardcodes the imap port number - I didn't get that to work otherwise. In the third hunk I call open-gssapi-stream directly - open-protocol-stream doesn't handle the nnimap-user. Should that be added to open-protocol-stream? diff --git a/lisp/nnimap.el b/lisp/nnimap.el index 05251ed..d11f4d0 100644 --- a/lisp/nnimap.el +++ b/lisp/nnimap.el @@ -65,7 +65,7 @@ it will default to `imap'.") (defvoo nnimap-stream 'undecided "How nnimap talks to the IMAP server. The value should be either `undecided', `ssl' or `tls', -`network', `starttls', `plain', or `shell'. +`network', `starttls', `plain', `gssapi' or `shell'. If the value is `undecided', nnimap tries `ssl' first, then falls back on `network'.") @@ -408,6 +408,10 @@ textual parts.") (nnheader-message 7 "Opening connection to %s via shell..." nnimap-address) '("imap")) + ((eq nnimap-stream 'gssapi) + (nnheader-message 7 "jk:Opening connection to %s via GSSAPI..." + nnimap-address) + '(143)) ((memq nnimap-stream '(ssl tls)) (nnheader-message 7 "Opening connection to %s via tls..." nnimap-address) @@ -417,28 +421,33 @@ textual parts.") login-result credentials) (when nnimap-server-port (push nnimap-server-port ports)) - (let* ((stream-list - (open-protocol-stream - "*nnimap*" (current-buffer) nnimap-address - (nnimap-map-port (car ports)) - :type nnimap-stream - :warn-unless-encrypted t - :return-list t - :shell-command nnimap-shell-program - :capability-command "1 CAPABILITY\r\n" - :always-query-capabilities t - :end-of-command "\r\n" - :success " OK " - :starttls-function - (lambda (capabilities) - (when (gnus-string-match-p "STARTTLS" capabilities) - "1 STARTTLS\r\n")))) + (let* ((stream-list + (if (eq nnimap-stream 'gssapi) + (list (open-gssapi-stream + "*nnimap*" (current-buffer) nnimap-address + (nnimap-map-port (car ports)) nnimap-user)) + (open-protocol-stream + "*nnimap*" (current-buffer) nnimap-address + (nnimap-map-port (car ports)) + :type nnimap-stream + :warn-unless-encrypted t + :return-list t + :shell-command nnimap-shell-program + :capability-command "1 CAPABILITY\r\n" + :always-query-capabilities t + :end-of-command "\r\n" + :success " OK " + :starttls-function + (lambda (capabilities) + (when (gnus-string-match-p "STARTTLS" capabilities) + "1 STARTTLS\r\n"))))) (stream (car stream-list)) (props (cdr stream-list)) (greeting (plist-get props :greeting)) (capabilities (plist-get props :capabilities)) (stream-type (plist-get props :type))) (when (and stream (not (memq (process-status stream) '(open run)))) + (nnheader-message 7 "XXX ...") (setq stream nil)) (when (and (fboundp 'set-network-process-option) ;; Not in XEmacs. @@ -450,12 +459,14 @@ textual parts.") (setf (nnimap-process nnimap-object) stream) (setf (nnimap-stream-type nnimap-object) stream-type) + (nnheader-message 7 "YYY ...") (if (not stream) (progn (nnheader-report 'nnimap "Unable to contact %s:%s via %s" nnimap-address (car ports) nnimap-stream) 'no-connect) (gnus-set-process-query-on-exit-flag stream nil) + (nnheader-message 7 "ZZZ ...") (if (not (gnus-string-match-p "[*.] \\(OK\\|PREAUTH\\)" greeting)) (nnheader-report 'nnimap "%s" greeting) ;; Store the greeting (for debugging purposes). I've sprinkled some messages into the function, which trigger when connecting as a non-GSSAPI user: My gnus config for gnus-secondary select methods is: (require 'gssapi) ; move into which gnus files? ; Mail mittels nnml und imap lesen (setq gnus-secondary-select-methods '((nnml "private") (nnimap "jochen@jochen.org" (nnimap-expunge t) (nnimap-stream gssapi) (nnimap-user "jochen@jochen.org") (nnimap-address "imap.jochen.org")) [...] My current guess is that my gssapi-session is already authenticated, but nnimap-open-connection-1 after "ZZZ" is getting confused somehow. Some more debugging shows, that the next statement fails: (if (not (gnus-string-match-p "[*.] \\(OK\\|PREAUTH\\)" greeting)) (nnheader-report 'nnimap "%s" greeting) That is somewhat expected, since my call to open-gssapi-stream doesn't set greeting (and I'm almost sure that later capability will also fail). Is my current approach ok, or should I massage open-protocol-stream to handle nnimap-user? Any hints how to proceed? Jochen -- The only problem with troubleshooting is that the trouble shoots back.