Re: [PATCH] GSSAPI authentication for nnimap

[Lars Ingebrigtsen <larsi@gnus.org>]

Jochen Hein <jochen@jochen.org> writes:

> The following patches add GSSAPI support to nnimap.  I'll comment what I
> did and why above each patch.  I'm currently cloning the emacs
> repository and I hope to forward port the patches and add/adapt the
> documentation accordingly.

Great!

> This post is to gather feedback concerning the design and the lisp
> code.  Do we need ChangeLog patches as well to apply the patches to
> current emacs?  Right now I've not worked on updates to the gnus
> manual.

We don't need ChangeLog patches any more, but we generate
"ChangeLog-style" git commits instead.  Basically, just use `C-x 4 a',
and type in the change as usual, and then when checking in, vc-mode will
snarf those entries into the commit buffer.

> The first patch is against gssapi.el from Ma Gnus v0.15, the latest gnus
> release.  I've removed the options "--authentication-id" from gsasl and
> "-u" from imtest invocations.  If somebody needs these, we could add the
> user parameter back to open-gssapi-stream as an optional parameter.
> That way open-network-stream could still call open-gssapi-stream without
> changes, other users can pass a username.  I'm not sure if the username
> is really neded - my usecase works fine without.

There's no user name in the default gssapi-program, at least...

> If we don't want to add an optional parameter or need to pass the
> username from nnimap.el to network-stream.el and finally to gssapi.el,
> we could add a property like :gssapi-user to the call to
> open-network-stream and pass that to open-gssapi-stream.

It would be nice if we didn't, but that's a possibility.

> The second change is removing the call to erase buffer.  That way the
> function open-network-stream-gssapi in network-stream.el can fetch the
> greeting and capabilities string from the buffer.
>
> I currently know of one difference between gsasl and imtest: connections
> with gsasl use TLS, imtest doesn't.  If we want that, we can add '-t ""'
> to the imtest call according to the imtest manpage:
>
>        -t keyfile
>                      Enable TLS.  keyfile contains the TLS public and
>                      private keys.  Specify "" to negotiate a TLS
>                      encryption layer but not use TLS authentication.
>
> Another option could be to handle STARTTLS in
> network-stream-open-gssapi.  For my usecase I'll use gsasl, so I've not
> added code for that.

Hm...  it would have been nice if this all went through our normal TLS
functions, so that the user could be given the opportunity to use the
network security manager in Emacs, which handles certificate errors and
the like.  So I think it would be very nice if
network-stream-open-gssapi handled TLS itself.

> Any comments?

I think everything looked very nice.  :-)

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no