From: "Adam Sjøgren" <asjo@koldfront.dk>
To: ding@gnus.org
Subject: Re: Trying to use gnus-cloud: what's the pinentry dialog? (and how can I get rid of it?)
Date: Tue, 05 Oct 2021 17:02:15 +0200 [thread overview]
Message-ID: <878rz7bjm0.fsf@tullinup.koldfront.dk> (raw)
In-Reply-To: <877deryibz.fsf@gmail.com>
Robert writes:
> --without-pop --with-kerberos doesnʼt make a great deal of sense,
> since the only C code that depends on kerberos is emacs is in
> src/pop.c
I was hoping to get Kerberos support in url.el at one point and the
optimist in me thought "I probably just have to enable this option".
At a later point I started hacking away at lisp/url/url-auth.el to add
Negotiate auth support, but I couldn't find any way to call the needed
Kerberos functions to generate an initial context token, so I ended up
using a Perl script using GSSAPI as a crutch instead:
= = =
diff --git a/lisp/url/url-auth.el b/lisp/url/url-auth.el
index f291414e81b..b6fd4660291 100644
--- a/lisp/url/url-auth.el
+++ b/lisp/url/url-auth.el
@@ -445,6 +445,44 @@ url-digest-auth
(if key
(url-digest-auth-build-response key href realm attrs)))))
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;; Negotiate authorization code
+;;; ------------------------
+;;; This implements the Negotiate authorization type; only the
+;;; SPNEGO-bases Kerberos part. See RFC 4559
+;;; https://www.ietf.org/rfc/rfc4559.txt for the complete
+;;; documentation on this type.
+;;;
+;;; This is somewhat secure
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(defun url-negotiate-auth-build-response (url attrs)
+ "Compute authorization string for SPNEGO-based Kerberos.
+
+base64 encoding of an InitialContextToken as defined in
+RFC2743, from SPNEGO GSSAPI.
+
+The NTLM part is not implemented"
+ (let ((token (shell-command-to-string (concat "/home/adsj/bin/generate_initialcontexttoken " (url-host url)))))
+ (concat
+ "Negotiate "
+ token)))
+
+(defun url-negotiate-auth (url &optional prompt overwrite realm attrs)
+ "Get the HTTP Negotiate response string for the specified URL.
+
+Optional arguments PROMPT, OVERWRITE, and REALM are not relevant for the
+Negotiate method.
+
+Alist ATTRS contains additional attributes for the authentication
+challenge such as nonce and opaque."
+ (if attrs
+ (let* ((href (if (stringp url) (url-generic-parse-url url) url))
+ (enable-recursive-minibuffers t))
+ (url-negotiate-auth-build-response href attrs))))
+
+;;; End of Negotiate
+
(defvar url-registered-auth-schemes nil
"A list of the registered authorization schemes and various and sundry
information associated with them.")
diff --git a/lisp/url/url.el b/lisp/url/url.el
index a6565e2cdb6..5d5b8b03ea8 100644
--- a/lisp/url/url.el
+++ b/lisp/url/url.el
@@ -64,6 +64,7 @@ url-do-setup
;; Register all the authentication schemes we can handle
(url-register-auth-scheme "basic" nil 4)
(url-register-auth-scheme "digest" nil 7)
+ (url-register-auth-scheme "negotiate" nil 9)
(setq url-cookie-file
(or url-cookie-file
= = =
The Perl script being:
= = =
#!/usr/bin/perl
use strict;
use warnings;
use MIME::Base64;
use GSSAPI;
my $host=$ARGV[0];
die "Must supply hostname" if (!defined $host);
my $target;
my $status=GSSAPI::Name->import($target, 'HTTP@' . $host, GSSAPI::OID::gss_nt_hostbased_service);
die "Name import failed: $status" if ($status->major != GSS_S_COMPLETE);
my $tname;
$status=$target->display($tname);
die "Status display failed: $status" if ($status->major != GSS_S_COMPLETE);
my $ctx = GSSAPI::Context->new();
my $imech = GSSAPI::OID::gss_mech_krb5;
my $iflags = GSS_C_REPLAY_FLAG;
$iflags = $iflags | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG; # if ( $ENV{LWP_AUTHEN_NEGOTIATE_DELEGATE} )
my $bindings = GSS_C_NO_CHANNEL_BINDINGS;
my $creds = GSS_C_NO_CREDENTIAL;
my $itime = 0;
my $otoken;
my $itoken=q{}; # prev WWW-Authenticate ...
$status = $ctx->init($creds, $target, $imech, $iflags, $itime, $bindings, $itoken, undef, $otoken, undef, undef);
if ($status->major == GSS_S_COMPLETE or $status->major == GSS_S_CONTINUE_NEEDED) {
print encode_base64($otoken,"");
}
else {
die "Fail: $status";
}
= = =
This allows my Gnus to show images from internal servers that use
Kerberos for Single Sign On at work, which is nice.
If only I could figure out how to make the token within url-auth.el,
that would be cool...
Best regards,
Adam
--
"Mr. Cotton's... parrot. Same question." Adam Sjøgren
asjo@koldfront.dk
next prev parent reply other threads:[~2021-10-05 15:02 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-19 13:50 Steinar Bang
2021-09-19 14:16 ` Steinar Bang
2021-09-19 14:30 ` Steinar Bang
2021-09-19 14:47 ` Steinar Bang
2021-09-23 15:07 ` Steinar Bang
2021-09-23 15:25 ` Steinar Bang
2021-09-23 17:17 ` Steinar Bang
2021-09-23 17:42 ` Steinar Bang
2021-09-23 17:58 ` dick
2021-09-24 8:40 ` Eric S Fraga
2021-09-24 20:18 ` Steinar Bang
2021-09-26 15:44 ` Eric S Fraga
2021-09-26 16:52 ` Steinar Bang
2021-09-27 14:54 ` Eric S Fraga
2021-10-02 11:27 ` Steinar Bang
2021-10-02 11:39 ` Steinar Bang
2021-10-02 14:59 ` Steinar Bang
2021-10-02 15:49 ` Eric Abrahamsen
2021-10-02 16:19 ` Steinar Bang
2021-10-03 8:46 ` Steinar Bang
2021-10-03 17:30 ` Steinar Bang
2021-10-04 14:43 ` Steinar Bang
2021-10-04 18:00 ` Steinar Bang
2021-10-04 19:19 ` Steinar Bang
2021-10-04 19:42 ` Steinar Bang
2021-10-04 20:09 ` Adam Sjøgren
2021-10-04 21:26 ` Steinar Bang
2021-10-05 8:41 ` Robert Pluim
2021-10-05 15:02 ` Adam Sjøgren [this message]
2021-10-05 15:41 ` Robert Pluim
2021-10-05 16:20 ` Adam Sjøgren
2021-10-05 15:14 ` Eric Abrahamsen
2021-10-05 16:17 ` Adam Sjøgren
2021-10-05 17:46 ` Eric Abrahamsen
2021-10-05 17:52 ` Adam Sjøgren
2021-09-23 17:14 ` Steinar Bang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878rz7bjm0.fsf@tullinup.koldfront.dk \
--to=asjo@koldfront.dk \
--cc=ding@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).