Gnus development mailing list
 help / color / mirror / Atom feed
From: "Adam Sjøgren" <asjo@koldfront.dk>
To: ding@gnus.org
Subject: Re: Trying to use gnus-cloud: what's the pinentry dialog? (and how can I get rid of it?)
Date: Tue, 05 Oct 2021 17:02:15 +0200	[thread overview]
Message-ID: <878rz7bjm0.fsf@tullinup.koldfront.dk> (raw)
In-Reply-To: <877deryibz.fsf@gmail.com>

Robert writes:

> --without-pop --with-kerberos doesnʼt make a great deal of sense,
> since the only C code that depends on kerberos is emacs is in
> src/pop.c

I was hoping to get Kerberos support in url.el at one point and the
optimist in me thought "I probably just have to enable this option".

At a later point I started hacking away at lisp/url/url-auth.el to add
Negotiate auth support, but I couldn't find any way to call the needed
Kerberos functions to generate an initial context token, so I ended up
using a Perl script using GSSAPI as a crutch instead:

= = =
diff --git a/lisp/url/url-auth.el b/lisp/url/url-auth.el
index f291414e81b..b6fd4660291 100644
--- a/lisp/url/url-auth.el
+++ b/lisp/url/url-auth.el
@@ -445,6 +445,44 @@ url-digest-auth
         (if key
             (url-digest-auth-build-response key href realm attrs)))))
 
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;; Negotiate authorization code
+;;; ------------------------
+;;; This implements the Negotiate authorization type; only the
+;;; SPNEGO-bases Kerberos part.  See RFC 4559
+;;; https://www.ietf.org/rfc/rfc4559.txt for the complete
+;;; documentation on this type.
+;;;
+;;; This is somewhat secure
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(defun url-negotiate-auth-build-response (url attrs)
+  "Compute authorization string for SPNEGO-based Kerberos.
+
+base64 encoding of an InitialContextToken as defined in
+RFC2743, from SPNEGO GSSAPI.
+
+The NTLM part is not implemented"
+  (let ((token (shell-command-to-string (concat "/home/adsj/bin/generate_initialcontexttoken " (url-host url)))))
+      (concat
+       "Negotiate "
+       token)))
+
+(defun url-negotiate-auth (url &optional prompt overwrite realm attrs)
+  "Get the HTTP Negotiate response string for the specified URL.
+
+Optional arguments PROMPT, OVERWRITE, and REALM are not relevant for the
+Negotiate method.
+
+Alist ATTRS contains additional attributes for the authentication
+challenge such as nonce and opaque."
+  (if attrs
+      (let* ((href (if (stringp url) (url-generic-parse-url url) url))
+             (enable-recursive-minibuffers t))
+        (url-negotiate-auth-build-response href attrs))))
+
+;;; End of Negotiate
+
 (defvar url-registered-auth-schemes nil
   "A list of the registered authorization schemes and various and sundry
 information associated with them.")
diff --git a/lisp/url/url.el b/lisp/url/url.el
index a6565e2cdb6..5d5b8b03ea8 100644
--- a/lisp/url/url.el
+++ b/lisp/url/url.el
@@ -64,6 +64,7 @@ url-do-setup
     ;; Register all the authentication schemes we can handle
     (url-register-auth-scheme "basic" nil 4)
     (url-register-auth-scheme "digest" nil 7)
+    (url-register-auth-scheme "negotiate" nil 9)
 
     (setq url-cookie-file
 	  (or url-cookie-file
= = =

The Perl script being:

= = =
#!/usr/bin/perl

use strict;
use warnings;

use MIME::Base64;
use GSSAPI;

my $host=$ARGV[0];
die "Must supply hostname" if (!defined $host);

my $target;
my $status=GSSAPI::Name->import($target, 'HTTP@' . $host, GSSAPI::OID::gss_nt_hostbased_service);
die "Name import failed: $status" if ($status->major != GSS_S_COMPLETE);

my $tname;
$status=$target->display($tname);
die "Status display failed: $status" if ($status->major != GSS_S_COMPLETE);

my $ctx = GSSAPI::Context->new();
my $imech = GSSAPI::OID::gss_mech_krb5;

my $iflags = GSS_C_REPLAY_FLAG;
$iflags = $iflags | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG; # if ( $ENV{LWP_AUTHEN_NEGOTIATE_DELEGATE} )
my $bindings = GSS_C_NO_CHANNEL_BINDINGS;
my $creds = GSS_C_NO_CREDENTIAL;
my $itime = 0;

my $otoken;
my $itoken=q{}; # prev WWW-Authenticate ...
$status = $ctx->init($creds, $target, $imech, $iflags, $itime, $bindings, $itoken, undef, $otoken, undef, undef);
if ($status->major == GSS_S_COMPLETE or $status->major == GSS_S_CONTINUE_NEEDED) {
    print encode_base64($otoken,"");
}
else {
    die "Fail: $status";
}
= = =

This allows my Gnus to show images from internal servers that use
Kerberos for Single Sign On at work, which is nice.

If only I could figure out how to make the token within url-auth.el,
that would be cool...


  Best regards,

    Adam

-- 
 "Mr. Cotton's... parrot. Same question."                   Adam Sjøgren
                                                       asjo@koldfront.dk



  reply	other threads:[~2021-10-05 15:02 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-19 13:50 Steinar Bang
2021-09-19 14:16 ` Steinar Bang
2021-09-19 14:30   ` Steinar Bang
2021-09-19 14:47     ` Steinar Bang
2021-09-23 15:07       ` Steinar Bang
2021-09-23 15:25         ` Steinar Bang
2021-09-23 17:17           ` Steinar Bang
2021-09-23 17:42             ` Steinar Bang
2021-09-23 17:58               ` dick
2021-09-24  8:40                 ` Eric S Fraga
2021-09-24 20:18                   ` Steinar Bang
2021-09-26 15:44                     ` Eric S Fraga
2021-09-26 16:52                       ` Steinar Bang
2021-09-27 14:54                         ` Eric S Fraga
2021-10-02 11:27               ` Steinar Bang
2021-10-02 11:39                 ` Steinar Bang
2021-10-02 14:59                   ` Steinar Bang
2021-10-02 15:49                     ` Eric Abrahamsen
2021-10-02 16:19                       ` Steinar Bang
2021-10-03  8:46                         ` Steinar Bang
2021-10-03 17:30                           ` Steinar Bang
2021-10-04 14:43                             ` Steinar Bang
2021-10-04 18:00                               ` Steinar Bang
2021-10-04 19:19                                 ` Steinar Bang
2021-10-04 19:42                                   ` Steinar Bang
2021-10-04 20:09                                 ` Adam Sjøgren
2021-10-04 21:26                                   ` Steinar Bang
2021-10-05  8:41                                   ` Robert Pluim
2021-10-05 15:02                                     ` Adam Sjøgren [this message]
2021-10-05 15:41                                       ` Robert Pluim
2021-10-05 16:20                                         ` Adam Sjøgren
2021-10-05 15:14                                   ` Eric Abrahamsen
2021-10-05 16:17                                     ` Adam Sjøgren
2021-10-05 17:46                                       ` Eric Abrahamsen
2021-10-05 17:52                                         ` Adam Sjøgren
2021-09-23 17:14         ` Steinar Bang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=878rz7bjm0.fsf@tullinup.koldfront.dk \
    --to=asjo@koldfront.dk \
    --cc=ding@gnus.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).