RE: help with gssapi smtp auth

[Umapati Singh]

Thank You So Very Much!!!!

As for the CC:ing, I thought of doing it myself, but didnt want everyone to
know how dumb i am ;)

Although, I am still a long way away from home :)

Now, I have tried compiling msmtp and gnu's sasl too.  GNU SASL doesnt
compile well for GSSAPI.  The error I get is :]

while running ./configure in the beginning:
        configure: checking for GSS implementation
        configure: auto-detecing GSS/MIT/Heimdal
        configure: use --enable-gssapi=IMPL to override
        configure: where IMPL is `gss', `mit', or `heimdal'
        checking for libgss... no
        configure: WARNING: GNU GSS not found (see http://josefsson.org/gss/)...
        checking for krb5-config... no
        configure: WARNING: krb5-config not found, disabling GSSAPI
        checking if GSSAPI should be used... no

Thereafter, it flags off (using #) the GSSAPI functionality through the
appropriate makefiles.  Turning them ON manually doesnt help.
Also when i try to do a 'man gss_import_name", it says : No manual entry for
gss_import_name

Also, I have tried the RFCs too, but as you yourself said, I found that
implementing them would be time-consuming if not difficult.

You have mentioned that NTLM would be less complex, but would you advise
changing course now... i had completely ignored ntlm from day one coz i
believe its Microsoft's proprietery implementation.

As of now, I am trying download the GNU GSS and see if that would help....

Meanwhile, I would appreciate if you could guide me further.

Regards,
Umapati

P.S. Thanks for your efforts again!!!!



-----Original Message-----
From: Simon Josefsson [mailto:address@hidden
Sent: Thursday, December 15, 2005 10:54 AM
To: Umapati Singh
Cc: address@hidden
Subject: Re: help with gssapi smtp auth


Hi again.  I'm Cc:ing the mailing list, in case others are interested,
I hope you don't mind.

The data are GSS-API blobs.  You could use GNU SASL to produce them.
If you want to implement it all yourself, you need to implement these
protocols:

http://www.ietf.org/rfc/rfc1964.txt
http://www.ietf.org/rfc/rfc2222.txt
http://www.ietf.org/rfc/rfc2743.txt
http://www.ietf.org/rfc/rfc2744.txt

That is fairly complex, so it is probably easier to simply use GNU
SASL for the SASL part, GNU GSS for the GSS-API part and GNU Shishi
for the Kerberos V5 part.

NTLM is slightly less complex, you would only need GNU SASL for the
SASL part and Libntlm for the NTLM part.

Hope this helps,
Simon

"Umapati Singh" <address@hidden> writes:

> also, could you please elaborate on the messages that you passed after
AUTH
> GSSAPI.  its not simple base64 encoded username and password, i see.  so
> where did u exactly these strings from.....  i hope im coherent....
>
> waiting eagerly for an arly reponse,
> umapati
>
> -----Original Message-----
> From: Simon Josefsson [mailto:address@hidden
> Sent: Thursday, December 15, 2005 4:41 AM
> To: Umapati Singh
> Cc: address@hidden
> Subject: Re: help with gssapi smtp auth
>
>
> "Umapati Singh" <address@hidden> writes:
>
>> Hi all,
>>
>> I am trying to obtain STMP AUTH using the gssapi mechanism.  Can anyone
>> please provide me with a sample/screesnshot for  a gssapi session so that
>> i could know what messages and in what order do they need to be passed.
>
> Hi!  Below is the output from GNU SASL connecting to a SMTP server,
> upgrading the connection to TLS (using GnuTLS) and authenticating
> using the Kerberos V5 implementation in GNU Shishi via GNU GSS.  I
> think the SMTP server is Sendmail linked to Heimdal.
>
> Other GSS-API implementations, such as MIT Kerberos, Heimdal or Sun's,
> should work too.
>
> Hope this helps,
> Simon
>
> PS.  The 'libshishi' warning below is because the server is using
> buggy Kerberos V5 libraries.
>
> address@hidden:~$ gsasl --smtp smtp.nada.kth.se
> Trying `smtp.nada.kth.se'...
> 220 smtp.nada.kth.se ESMTP Sendmail 8.12.11/8.12.11; Thu, 15 Dec 2005
> 10:35:07 +0100 (MET)
> EHLO [127.0.0.1]
> 250-smtp.nada.kth.se Hello h14n1c1o1033.bredband.skanova.com
> [81.225.104.14], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-AUTH GSSAPI
> 250-STARTTLS
> 250-DELIVERBY
> 250 HELP
> STARTTLS
> 220 2.0.0 Ready to start TLS
> EHLO [127.0.0.1]
> 250-smtp.nada.kth.se Hello h14n1c1o1033.bredband.skanova.com
> [81.225.104.14], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-AUTH GSSAPI PLAIN
> 250-DELIVERBY
> 250 HELP
> AUTH GSSAPI
> 334
> libshishi: warning: KDC bug: Reply encrypted using wrong key.
>
YIICEQYJKoZIhvcSAQICAQBuggIAMIIB/KADAgEFoQMCAQ6iBwMFACAAAACjggETYYIBDzCCAQug
>
AwIBBaENGwtOQURBLktUSC5TRaIjMCGgAwIBAaEaMBgbBHNtdHAbEHNtdHAubmFkYS5rdGguc2Wj
>
gc8wgcygAwIBEKEDAgEJooG/BIG8msq2xygko4Lv0Agu5pW6SEundUbFK5swuopukvx9kTidWULb
>
/Ab490wQbtnKx3lmM3BFvNFvuUyD3zvh9PHggwz7T7eZYSCDaovIL/QZ0ismF3lZejZBSwBhgLDA
>
DQuk4nZHbbeoU9Lk+1jzsMJguNh6Ot3G6o8WLqFZoe8pi3NuxzSdjutjg3O9s/fasuSB9T85bq6o
>
IMWGr5HHRNBNUF4x11tK3ytpsVoMNpKng3d4bY8tLgnxxLCmREakgc8wgcygAwIBEKEDAgEBooG/
>
BIG8SPCDQwKGzJfZGg+MgqQquBiGBXA2uy/08gPE19vuTBP7XyL2H4EaVqtl71MeVxExbat/CNAK
>
3dMXkNqR6VHxZqb+ky8MYMDo452Z1sN6BfIsKcsy2BcYTwFJMtgdn21vTWVHtMPH3wtXPuPFGn3j
>
igjsXiAyytXi1Y4p4Tni+ox5ndlZuqBJGeThVxyZIpCEI+5rWflxDIYVa/8CAcRUPQqoDpQIs5zk
> wfoPQtTdfRLdph5VxQ79N9PnvnQ=
> 334
>
YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgRE2FBXYUbT0MVIicgLYE/F
> Ky6CcrvfQxZaoxyt05qqxJBL13kqneza/TKe5i0mjsN0Nc90KW/l4rL0eQ76vWMenaE1Lw8=
>
> 334
>
YD8GCSqGSIb3EgECAgIBBAD/////IGqNk7Rz3+kPdzT9oYPRWnQi/ESL0p3EeQ2yNLWArrmdOzxp
> BwAgAAQEBAQ=
> Using system username `jas' as authentication identity.
>
YD8GCSqGSIb3EgECAgIBBAD/////JhNtx+GhzYe54NY92BltbUHD6i02upmatfXUnIGrBR5vT5yu
> AQAgAGphcwE=
> 235 2.0.0 OK Authenticated
> Client authentication finished (server trusted)...
> Enter application data (EOF to finish):
> quit
> 221 2.0.0 smtp.nada.kth.se closing connection
> Session finished...
> QUIT
> address@hidden:~$