From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.user/18507 Path: news.gmane.org!.POSTED!not-for-mail From: Jochen Hein Newsgroups: gmane.emacs.gnus.user Subject: Re: Current state of GSSAPI support? Date: Fri, 03 Feb 2017 05:26:34 +0100 Message-ID: <83tw8bucg5.fsf@jochen.org> References: NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Trace: blaine.gmane.org 1486097922 7198 195.159.176.226 (3 Feb 2017 04:58:42 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Fri, 3 Feb 2017 04:58:42 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) Cc: info-gnus-english@gnu.org To: Elias =?utf-8?Q?M=C3=A5rtenson?= Original-X-From: info-gnus-english-bounces+gegu-info-gnus-english=m.gmane.org@gnu.org Fri Feb 03 05:58:37 2017 Return-path: Envelope-to: gegu-info-gnus-english@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cZVxE-0001cL-UV for gegu-info-gnus-english@m.gmane.org; Fri, 03 Feb 2017 05:58:37 +0100 Original-Received: from localhost ([::1]:60242 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cZVxI-0001qy-Qk for gegu-info-gnus-english@m.gmane.org; Thu, 02 Feb 2017 23:58:40 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:35050) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cZVxC-0001qg-LF for info-gnus-english@gnu.org; Thu, 02 Feb 2017 23:58:35 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cZVx7-0002iN-Qr for info-gnus-english@gnu.org; Thu, 02 Feb 2017 23:58:34 -0500 Original-Received: from smtp.dinoex.de ([2a01:4f8:221:441::104]:38407) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cZVx7-0002aq-Bl for info-gnus-english@gnu.org; Thu, 02 Feb 2017 23:58:29 -0500 Original-Received: from smtp.dinoex.de (uucp@smtp.dinoex.de [188.40.204.4]) by smtp.dinoex.de (8.15.2/8.15.2) with ESMTPS id v134R4u1038444 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 3 Feb 2017 05:27:05 +0100 (CET) (envelope-from jochen@jochen.org) Original-Received: (from uucp@localhost) by smtp.dinoex.de (8.15.2/8.15.2/Submit) with UUCP id v134R4XJ038443; Fri, 3 Feb 2017 05:27:04 +0100 (CET) (envelope-from jochen@jochen.org) Original-Received: from echidna (echidna.jochen.org [IPv6:fd23:e163:19f7:1234:222:4dff:fe7c:d76a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by jupiter.jochen.org (Postfix) with ESMTPSA id 7059C21E; Fri, 3 Feb 2017 05:26:35 +0100 (CET) X-Message-Flag: This space is intentionally left blank In-Reply-To: ("Elias \=\?utf-8\?Q\?M\=C3\=A5rtenson\=22's\?\= message of "Fri, 3 Feb 2017 11:19:07 +0800") X-Milter: Spamilter (Reciever: smtp.dinoex.de; Sender-ip: 188.40.204.4; Sender-helo: smtp.dinoex.de; ) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (smtp.dinoex.de [188.40.204.4]); Fri, 03 Feb 2017 05:27:06 +0100 (CET) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a01:4f8:221:441::104 X-BeenThere: info-gnus-english@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Announcements and discussions for GNUS, the GNU Emacs Usenet newsreader \(in English\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: info-gnus-english-bounces+gegu-info-gnus-english=m.gmane.org@gnu.org Original-Sender: "info-gnus-english" Xref: news.gmane.org gmane.emacs.gnus.user:18507 Archived-At: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by smtp.dinoex.de id v134R4u1038444 Elias M=C3=A5rtenson writes: > A few years ago I inquired about Kerberos authentication for Gnus IMAP = and > at the time it was concluded that it had originally worked, but did not > work anymore. Yes, I came to the same conclusion last year. > Before I sink any more time into implementing native GSSAPI support in > Emacs, could anyone explain to me what the current state of this is, an= d if > it might actually be possible to get this to work without me having to > write a lot of new code? I posted some patches last year on the emacs list. Unfortunatly they never git integrated - they use external commands to connect, so the won't be generic streams. I'll attach the rough patches I have here. Jochen --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=gnus-gssapi.diff --- network-stream.el.orig 2016-02-11 17:26:06.000000000 +0100 +++ network-stream.el 2016-02-11 18:31:02.000000000 +0100 @@ -44,6 +44,7 @@ (require 'tls) (require 'starttls) +(require 'gssapi) (require 'auth-source) (autoload 'gnutls-negotiate "gnutls") @@ -85,6 +86,7 @@ `tls' -- A TLS connection. `ssl' -- Equivalent to `tls'. `shell' -- A shell connection. + `gssapi' -- a GSSAPI connection. :return-list specifies this function's return value. If omitted or nil, return a process object. A non-nil means to @@ -156,6 +158,7 @@ 'network-stream-open-starttls) ((memq type '(tls ssl)) 'network-stream-open-tls) ((eq type 'shell) 'network-stream-open-shell) + ((eq type 'gssapi) 'network-stream-open-gssapi) (t (error "Invalid connection type %s" type)))) result) (unwind-protect @@ -172,6 +175,24 @@ :error (nth 4 result)) (car result)))))) +(defun network-stream-open-gssapi (name buffer host service parameters) + (let* ((start (with-current-buffer buffer (point))) + (capability-command (plist-get parameters :capability-command)) + (eoc (plist-get parameters :end-of-command)) + (eo-capa (or (plist-get parameters :end-of-capability) + eoc)) + (stream (open-gssapi-stream name buffer host service)) + (greeting (network-stream-get-response stream start eoc)) + (capabilities (when capability-command + (network-stream-command stream + capability-command + (or eo-capa eoc))))) + ;; Return (STREAM GREETING CAPABILITIES RESULTING-TYPE) + (list stream + greeting + capabilities + 'gssapi))) + (defun network-stream-certificate (host service parameters) (let ((spec (plist-get :client-certificate parameters))) (cond diff --git a/lisp/gssapi.el b/lisp/gssapi.el index 1f72805..08b2ec3 100644 --- a/lisp/gssapi.el +++ b/lisp/gssapi.el @@ -29,9 +29,8 @@ (defcustom gssapi-program (list (concat "gsasl %s %p " - "--mechanism GSSAPI " - "--authentication-id %l") - "imtest -m gssapi -u %l -p %p %s") + "--mechanism GSSAPI ") + "imtest -m gssapi -p %p %s") "List of strings containing commands for GSSAPI (krb5) authentication. %s is replaced with server hostname, %p with port to connect to, and %l with the user name. The program should accept commands on @@ -41,7 +40,7 @@ tried until a successful connection is made." :group 'network :type '(repeat string)) -(defun open-gssapi-stream (name buffer server port user) +(defun open-gssapi-stream (name buffer server port) (let ((cmds gssapi-program) cmd done) (with-current-buffer buffer @@ -57,8 +56,7 @@ tried until a successful connection is made." cmd (format-spec-make ?s server - ?p (number-to-string port) - ?l user)))) + ?p (number-to-string port))))) response) (when process (while (and (memq (process-status process) '(open run)) @@ -92,7 +90,6 @@ tried until a successful connection is made." (setq response (match-string 1))))) (accept-process-output process 1) (sit-for 1)) - (erase-buffer) (message "GSSAPI connection: %s" (or response "failed")) (if (and response (let ((case-fold-search nil)) (not (string-match "failed" response)))) diff --git a/lisp/nnimap.el b/lisp/nnimap.el index 05251ed..2eca2b4 100644 --- a/lisp/nnimap.el +++ b/lisp/nnimap.el @@ -65,7 +65,7 @@ it will default to `imap'.") (defvoo nnimap-stream 'undecided "How nnimap talks to the IMAP server. The value should be either `undecided', `ssl' or `tls', -`network', `starttls', `plain', or `shell'. +`network', `starttls', `plain', `gssapi', or `shell'. If the value is `undecided', nnimap tries `ssl' first, then falls back on `network'.") @@ -408,6 +408,10 @@ textual parts.") (nnheader-message 7 "Opening connection to %s via shell..." nnimap-address) '("imap")) + ((eq nnimap-stream 'gssapi) + (nnheader-message 7 "Opening connection to %s via GSSAPI..." + nnimap-address) + '(143)) ((memq nnimap-stream '(ssl tls)) (nnheader-message 7 "Opening connection to %s via tls..." nnimap-address) @@ -463,7 +467,9 @@ textual parts.") (setf (nnimap-capabilities nnimap-object) (mapcar #'upcase (split-string capabilities))) - (unless (gnus-string-match-p "[*.] PREAUTH" greeting) + (unless (or + (eq nnimap-stream 'gssapi) + (gnus-string-match-p "[*.] PREAUTH" greeting)) (if (not (setq credentials (if (eq nnimap-authenticator 'anonymous) (list "anonymous" --=-=-= Content-Type: text/plain -- The only problem with troubleshooting is that the trouble shoots back. --=-=-= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline