From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/86846 Path: news.gmane.org!not-for-mail From: Lars Ingebrigtsen Newsgroups: gmane.emacs.gnus.general Subject: Re: [PATCH] GSSAPI authentication for nnimap Date: Sat, 13 Feb 2016 17:50:51 +1100 Message-ID: <87oablkss4.fsf@gnus.org> References: <87oaecan6t.fsf@mid.deneb.enyo.de> <87d1sanxyx.fsf@gnus.org> <83a8ncfnkc.fsf@echidna.jochen.org> <8737t3g4hk.fsf@gnus.org> <831t8mgbpi.fsf@echidna.jochen.org> <87io1ykh0h.fsf@linux-m68k.org> <83vb5yhjpo.fsf@echidna.jochen.org> <87wpqeix2s.fsf@linux-m68k.org> <83zivammhs.fsf@echidna.jochen.org> <83wpqd4pk6.fsf@echidna.jochen.org> <87egcl795w.fsf@gnus.org> <834mdfdo0c.fsf_-_@echidna.jochen.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1455346305 28891 80.91.229.3 (13 Feb 2016 06:51:45 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 13 Feb 2016 06:51:45 +0000 (UTC) Cc: Andreas Schwab , ding@gnus.org, Florian Weimer To: Jochen Hein Original-X-From: ding-owner+M35069@lists.math.uh.edu Sat Feb 13 07:51:32 2016 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from lists1.math.uh.edu ([129.7.128.208]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1aUU3H-0007vg-Qs for ding-account@gmane.org; Sat, 13 Feb 2016 07:51:31 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by lists1.math.uh.edu with smtp (Exim 4.85) (envelope-from ) id 1aUU3B-0006s3-Ux; Sat, 13 Feb 2016 00:51:26 -0600 Original-Received: from mx2.math.uh.edu ([129.7.128.33]) by lists1.math.uh.edu with esmtps (TLSv1.2:AES128-GCM-SHA256:128) (Exim 4.85) (envelope-from ) id 1aUU3A-0006rb-1q for ding@lists.math.uh.edu; Sat, 13 Feb 2016 00:51:24 -0600 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx2.math.uh.edu with esmtps (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from ) id 1aUU38-0006q1-1K for ding@lists.math.uh.edu; Sat, 13 Feb 2016 00:51:23 -0600 Original-Received: from hermes.netfonds.no ([80.91.224.195]) by quimby.gnus.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1aUU36-0005Wo-Lf for ding@gnus.org; Sat, 13 Feb 2016 07:51:20 +0100 Original-Received: from cpe-60-225-211-161.nsw.bigpond.net.au ([60.225.211.161] helo=mouse) by hermes.netfonds.no with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1aUU2j-0001dK-Mg; Sat, 13 Feb 2016 07:50:58 +0100 In-Reply-To: <834mdfdo0c.fsf_-_@echidna.jochen.org> (Jochen Hein's message of "Thu, 11 Feb 2016 20:51:15 +0100") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux) X-MailScanner-ID: 1aUU2j-0001dK-Mg MailScanner-NULL-Check: 1455951058.52756@DAMDwfeuJ63bVcf3DfhM9w X-Spam-Status: No X-Spam-Score: -1.9 (-) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:86846 Archived-At: Jochen Hein writes: > The following patches add GSSAPI support to nnimap. I'll comment what I > did and why above each patch. I'm currently cloning the emacs > repository and I hope to forward port the patches and add/adapt the > documentation accordingly. Great! > This post is to gather feedback concerning the design and the lisp > code. Do we need ChangeLog patches as well to apply the patches to > current emacs? Right now I've not worked on updates to the gnus > manual. We don't need ChangeLog patches any more, but we generate "ChangeLog-style" git commits instead. Basically, just use `C-x 4 a', and type in the change as usual, and then when checking in, vc-mode will snarf those entries into the commit buffer. > The first patch is against gssapi.el from Ma Gnus v0.15, the latest gnus > release. I've removed the options "--authentication-id" from gsasl and > "-u" from imtest invocations. If somebody needs these, we could add the > user parameter back to open-gssapi-stream as an optional parameter. > That way open-network-stream could still call open-gssapi-stream without > changes, other users can pass a username. I'm not sure if the username > is really neded - my usecase works fine without. There's no user name in the default gssapi-program, at least... > If we don't want to add an optional parameter or need to pass the > username from nnimap.el to network-stream.el and finally to gssapi.el, > we could add a property like :gssapi-user to the call to > open-network-stream and pass that to open-gssapi-stream. It would be nice if we didn't, but that's a possibility. > The second change is removing the call to erase buffer. That way the > function open-network-stream-gssapi in network-stream.el can fetch the > greeting and capabilities string from the buffer. > > I currently know of one difference between gsasl and imtest: connections > with gsasl use TLS, imtest doesn't. If we want that, we can add '-t ""' > to the imtest call according to the imtest manpage: > > -t keyfile > Enable TLS. keyfile contains the TLS public and > private keys. Specify "" to negotiate a TLS > encryption layer but not use TLS authentication. > > Another option could be to handle STARTTLS in > network-stream-open-gssapi. For my usecase I'll use gsasl, so I've not > added code for that. Hm... it would have been nice if this all went through our normal TLS functions, so that the user could be given the opportunity to use the network security manager in Emacs, which handles certificate errors and the like. So I think it would be very nice if network-stream-open-gssapi handled TLS itself. > Any comments? I think everything looked very nice. :-) -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no