Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: dev

Testing needed: heimdal_gssapi authenticator

 

 

exim dev RSS feed   Index | Next | Previous | View Threaded


pdp at exim

Feb 17, 2012, 5:38 AM

Post #1 of 4 (390 views)
Permalink
Testing needed: heimdal_gssapi authenticator

Adventurous folks already using Heimdal needed for testing git branch of
Exim. Docs not yet updated.

Per my mail of 2012-02-04, """Heimdal 1.4 put in some restrictions on
honouring a value of $KRB5_KTNAME inherited from the environment, which
means that at present there's no way to make Exim work with a
non-default keytab file."""

I've added a "heimdal_gssapi" authenticator, server-only. I've
developed and tested against Heimdal 1.4 on FreeBSD.

(1) Pull Exim git.
(2) Switch to heimdal branch (git checkout heimdal)
(3) Note that for historical reasons, "src/" in releases corresponds to
"src/src/" in git, so cd down one level into the first src.
(4) Edit your usual Local/Makefile to include:
AUTH_HEIMDAL_GSSAPI=yes
AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
(4a) If you don't have pkg-config installed, ignore that second _PC
option and instead add the needed -I/include/paths to CFLAGS and
the library specs to AUTH_LIBS, as per usual
(4b) If you do have pkg-config but heimdal's package has a different
name, change the value of the define
(5) Install as usual
(6) Use driver "heimdal_gssapi", set option "server_keytab"; if
switching from "cyrus_sasl" driver, remember to drop the
"server_mech" option.
(7) Make sure keytab is readable by Exim runtime user
(8) Let me know how you get on!

I have:

auth_gssapi:
driver = heimdal_gssapi
public_name = GSSAPI
server_hostname = smtp.spodhuis.org
server_realm = SPODHUIS.ORG
server_keytab = /etc/kerberos/tabs/exim.keytab
server_set_id = $auth1

$auth1 is the server-verified GSSAPI Display Name; $auth2 is the
SASL-provided authorization identifier, which is not cryptographically
verified but is instead whatever the client chooses to ask for (as per
usual; so $auth1 authn, $auth2 is authzid).

Separately, anyone who wants to try AUTH_* and LOOKUP_* library
dependency management with pkg-config, both with and without .so dynamic
libraries, please do so. Take normal variable name, add "_PC", define
value as the name of the pkg-config specification to use. Let me know
of any problems. (This too is only on the heimdal branch).

Regards,
-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


pdp at exim

Feb 18, 2012, 2:07 AM

Post #2 of 4 (382 views)
Permalink
Re: Testing needed: heimdal_gssapi authenticator [In reply to]

On 2012-02-17 at 08:38 -0500, Phil Pennock wrote:
> I have:
>
> auth_gssapi:
> driver = heimdal_gssapi
> public_name = GSSAPI
> server_hostname = smtp.spodhuis.org
> server_realm = SPODHUIS.ORG
> server_keytab = /etc/kerberos/tabs/exim.keytab
> server_set_id = $auth1

*cough* "server_realm" is unused and there doesn't seem to be anything
sane to do with it in GSSAPI; the concept exists in Kerberos, but really
any tickets for the specified principal in the keytab will be used.

So I'm removing that option.

Oops.

(Bright side: I found this while documenting the driver, thus there will
shortly exist documentation for this.)

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


pdp at exim

Mar 20, 2012, 9:52 PM

Post #3 of 4 (339 views)
Permalink
Re: [exim] Testing needed: heimdal_gssapi authenticator [In reply to]

On 2012-02-17 at 08:38 -0500, Phil Pennock wrote:
> Adventurous folks already using Heimdal needed for testing git branch of
> Exim. Docs not yet updated.
>
> Per my mail of 2012-02-04, """Heimdal 1.4 put in some restrictions on
> honouring a value of $KRB5_KTNAME inherited from the environment, which
> means that at present there's no way to make Exim work with a
> non-default keytab file."""
>
> I've added a "heimdal_gssapi" authenticator, server-only. I've
> developed and tested against Heimdal 1.4 on FreeBSD.

(As already noted, I think, the docs were updated).

I've just tried again to use Apple Mail with GSSAPI, and once more it
works with IMAP but not initially with SMTP. So no change there.

However, because of the debug messages I wrote for Exim in the new
heimdal_gssapi Authenticator, I can now tell *why* it is failing. And I
was then able to get it working.

SMTP<< BQQG/wAAAAAAAAAACK+ONaHkLnpgIS85uofF9Usl2zdQIcbUE1HdxWGWQrfF90jr8QAaD0dBJo6z0aySKV5zpQ==
gssapi: final message too short; need flags, buf sizes and authzid
SMTP>> 535 Incorrect authentication data

The somewhat under-specified GSSAPI/SASL mechanism (in old RFCs, fixed
in the drafts for the replacement) makes it a little hard to puzzle
through what's required after authentication, or that there is a step
afterwards. I remember my confusion when I first wrote a GSSAPI
client authenticator (in Perl in 2006) how awkward it was to get the
needed values.

I add an identifier to the auth, and select retry, and Apple Mail does
not send an Initial Response and does not send data when nudged. When I
run Connection Doctor, it sends AUTH GSSAPI and then QUIT, without
terminating SASL negotiation with the "*" break.

So I switch to just usercode, instead of usercode [at] REAL, and it works
but is then rejected by my server_condition, which is an easy fix.

So: with no usercode filled in, Apple Mail does not set an authzid for
the request; it's not clear to me if this is allowed by RFC 4752, but I
will change Exim to support it and just dup the authen id to authzid for
that case (and only commit that if it's clear that this is sufficient to
fix).

With a full realm-qualified usercode, Apple Mail fails to start
authentication and is buggy. With just a user, with an appropriate
"server_condition", it works.

(Of course, my test mail to a Gmail account had my phone beep for
successful delivery to Gmail before Mail played the successfully-sent
notification swishing sound .. at least they err on the side of caution
before reporting success :) ).

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


pdp at exim

Mar 21, 2012, 1:57 AM

Post #4 of 4 (335 views)
Permalink
Re: [exim] Testing needed: heimdal_gssapi authenticator [In reply to]

On 2012-03-20 at 21:52 -0700, Phil Pennock wrote:
> So: with no usercode filled in, Apple Mail does not set an authzid for
> the request; it's not clear to me if this is allowed by RFC 4752, but I
> will change Exim to support it and just dup the authen id to authzid for
> that case (and only commit that if it's clear that this is sufficient to
> fix).

That was sufficient to fix. Committed to master and pushed to main
repo.

Exim's heimdal_gssapi now works with Apple Mail using IPv6/TLS/GSSAPI to
connect, as long as:

* the usercode field is left empty; or
* the usercode field is not fully qualified

Fully qualifying the usercode to include a realm in Apple Mail leads to
buggy behaviour by the client which Exim can't work around.


My previous testing was with mutt, which doesn't trigger authentication
unless there's a user in the smtp_url, so there's *always* an authzid
from mutt.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

exim dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.