From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-2.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 10880 invoked from network); 5 Oct 2021 15:02:41 -0000 Received: from mx1.math.uh.edu (129.7.128.32) by inbox.vuxu.org with ESMTPUTF8; 5 Oct 2021 15:02:41 -0000 Received: from lists1.math.uh.edu ([129.7.128.208]) by mx1.math.uh.edu with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mXlxn-00GO1G-5U for ml@inbox.vuxu.org; Tue, 05 Oct 2021 10:02:39 -0500 Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by lists1.math.uh.edu with smtp (Exim 4.94) (envelope-from ) id 1mXlxm-008GgS-KV for ml@inbox.vuxu.org; Tue, 05 Oct 2021 10:02:38 -0500 Received: from mx1.math.uh.edu ([129.7.128.32]) by lists1.math.uh.edu with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from ) id 1mXlxk-008GgJ-AP for ding@lists.math.uh.edu; Tue, 05 Oct 2021 10:02:36 -0500 Received: from quimby.gnus.org ([95.216.78.240]) by mx1.math.uh.edu with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mXlxh-00GO0v-Jj for ding@lists.math.uh.edu; Tue, 05 Oct 2021 10:02:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Transfer-Encoding:Content-Type:Mime-Version:References :Message-ID:Date:Subject:From:To:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=pV3z1Ddqab9LfIZl7H10BMgVhTooX8qufhRw/zJIND4=; b=mwh2BS7lDaJn8gLjKK225RUnF0 vZ1yDwAfZys+jFiQCT0tadmGYSc3NutAf40vcm1LtsGc2/wkzzYWaZ8pDUzy/bjYywmvqJZgIkCHN 7N4a2cvN4/VBACa6GY7eUGiWdFX/u37sjEgXiDP7u4JzdkASgLgfZzFLFNt0paE/hh+c=; Received: from ciao.gmane.io ([116.202.254.214]) by quimby.gnus.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mXlxZ-0007zb-Hw for ding@gnus.org; Tue, 05 Oct 2021 17:02:28 +0200 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1mXlxX-000AOW-Sa for ding@gnus.org; Tue, 05 Oct 2021 17:02:23 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: ding@gnus.org From: =?utf-8?Q?Adam_Sj=C3=B8gren?= Subject: Re: Trying to use gnus-cloud: what's the pinentry dialog? (and how can I get rid of it?) Date: Tue, 05 Oct 2021 17:02:15 +0200 Organization: koldfront - analysis & revolution, Copenhagen, Denmark Message-ID: <878rz7bjm0.fsf@tullinup.koldfront.dk> References: <86ilywektx.fsf@dod.no> <86fsu0k5w3.fsf@dod.no> <86bl4ok58z.fsf@dod.no> <867dfck4g9.fsf@dod.no> <86mto3gwkj.fsf@dod.no> <86v92rwbyw.fsf@dod.no> <86lf3nw6su.fsf@dod.no> <86czozw5mo.fsf@dod.no> <867devd5uu.fsf@dod.no> <8635pjd59t.fsf@dod.no> <86y27b4gmk.fsf@dod.no> <87o887l93u.fsf@ericabrahamsen.net> <86tuhz4cx8.fsf@dod.no> <86k0iujy28.fsf@dod.no> <867deuj9sl.fsf@dod.no> <86wnmsj1f1.fsf@dod.no> <86r1d0isb6.fsf@dod.no> <877dessgaa.fsf@tullinup.koldfront.dk> <877deryibz.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) Cancel-Lock: sha1:9ghN0SLFsKAx9GP/6Rltngl+k6M= OpenPGP: id=476630590A231909B0A0961A49D0746121BDE416; url=https://asjo.koldfront.dk/gpg.asc Mail-Follow-Up-To: never X-Now-Playing: Ask For Answers, Without You I'm Nothing (Placebo) X-Face: )qY&CseJ?.:=8F#^~GcSA?F=9eu'{KAFfL1C3/A&:nE?PW\i65"ba0NS)97,Q(^@xk}n4Ou rPuR#V8I(J_@~H($[ym:`K_+]*kjvW>xH5jbgLBVFGXY:(#4P>zVBklLbdL&XxL\M)%T}3S/IS9lMJ ^St'=VZBR Precedence: bulk Robert writes: > --without-pop --with-kerberos doesnʼt make a great deal of sense, > since the only C code that depends on kerberos is emacs is in > src/pop.c I was hoping to get Kerberos support in url.el at one point and the optimist in me thought "I probably just have to enable this option". At a later point I started hacking away at lisp/url/url-auth.el to add Negotiate auth support, but I couldn't find any way to call the needed Kerberos functions to generate an initial context token, so I ended up using a Perl script using GSSAPI as a crutch instead: = = = diff --git a/lisp/url/url-auth.el b/lisp/url/url-auth.el index f291414e81b..b6fd4660291 100644 --- a/lisp/url/url-auth.el +++ b/lisp/url/url-auth.el @@ -445,6 +445,44 @@ url-digest-auth (if key (url-digest-auth-build-response key href realm attrs))))) +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;; Negotiate authorization code +;;; ------------------------ +;;; This implements the Negotiate authorization type; only the +;;; SPNEGO-bases Kerberos part. See RFC 4559 +;;; https://www.ietf.org/rfc/rfc4559.txt for the complete +;;; documentation on this type. +;;; +;;; This is somewhat secure +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +(defun url-negotiate-auth-build-response (url attrs) + "Compute authorization string for SPNEGO-based Kerberos. + +base64 encoding of an InitialContextToken as defined in +RFC2743, from SPNEGO GSSAPI. + +The NTLM part is not implemented" + (let ((token (shell-command-to-string (concat "/home/adsj/bin/generate_initialcontexttoken " (url-host url))))) + (concat + "Negotiate " + token))) + +(defun url-negotiate-auth (url &optional prompt overwrite realm attrs) + "Get the HTTP Negotiate response string for the specified URL. + +Optional arguments PROMPT, OVERWRITE, and REALM are not relevant for the +Negotiate method. + +Alist ATTRS contains additional attributes for the authentication +challenge such as nonce and opaque." + (if attrs + (let* ((href (if (stringp url) (url-generic-parse-url url) url)) + (enable-recursive-minibuffers t)) + (url-negotiate-auth-build-response href attrs)))) + +;;; End of Negotiate + (defvar url-registered-auth-schemes nil "A list of the registered authorization schemes and various and sundry information associated with them.") diff --git a/lisp/url/url.el b/lisp/url/url.el index a6565e2cdb6..5d5b8b03ea8 100644 --- a/lisp/url/url.el +++ b/lisp/url/url.el @@ -64,6 +64,7 @@ url-do-setup ;; Register all the authentication schemes we can handle (url-register-auth-scheme "basic" nil 4) (url-register-auth-scheme "digest" nil 7) + (url-register-auth-scheme "negotiate" nil 9) (setq url-cookie-file (or url-cookie-file = = = The Perl script being: = = = #!/usr/bin/perl use strict; use warnings; use MIME::Base64; use GSSAPI; my $host=$ARGV[0]; die "Must supply hostname" if (!defined $host); my $target; my $status=GSSAPI::Name->import($target, 'HTTP@' . $host, GSSAPI::OID::gss_nt_hostbased_service); die "Name import failed: $status" if ($status->major != GSS_S_COMPLETE); my $tname; $status=$target->display($tname); die "Status display failed: $status" if ($status->major != GSS_S_COMPLETE); my $ctx = GSSAPI::Context->new(); my $imech = GSSAPI::OID::gss_mech_krb5; my $iflags = GSS_C_REPLAY_FLAG; $iflags = $iflags | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG; # if ( $ENV{LWP_AUTHEN_NEGOTIATE_DELEGATE} ) my $bindings = GSS_C_NO_CHANNEL_BINDINGS; my $creds = GSS_C_NO_CREDENTIAL; my $itime = 0; my $otoken; my $itoken=q{}; # prev WWW-Authenticate ... $status = $ctx->init($creds, $target, $imech, $iflags, $itime, $bindings, $itoken, undef, $otoken, undef, undef); if ($status->major == GSS_S_COMPLETE or $status->major == GSS_S_CONTINUE_NEEDED) { print encode_base64($otoken,""); } else { die "Fail: $status"; } = = = This allows my Gnus to show images from internal servers that use Kerberos for Single Sign On at work, which is nice. If only I could figure out how to make the token within url-auth.el, that would be cool... Best regards, Adam -- "Mr. Cotton's... parrot. Same question." Adam Sjøgren asjo@koldfront.dk