[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Current state of GSSAPI support?
From: |
Jochen Hein |
Subject: |
Re: Current state of GSSAPI support? |
Date: |
Fri, 03 Feb 2017 05:26:34 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Elias Mårtenson <lokedhs@gmail.com> writes:
> A few years ago I inquired about Kerberos authentication for Gnus IMAP and
> at the time it was concluded that it had originally worked, but did not
> work anymore.
Yes, I came to the same conclusion last year.
> Before I sink any more time into implementing native GSSAPI support in
> Emacs, could anyone explain to me what the current state of this is, and if
> it might actually be possible to get this to work without me having to
> write a lot of new code?
I posted some patches last year on the emacs list. Unfortunatly they
never git integrated - they use external commands to connect, so the
won't be generic streams.
I'll attach the rough patches I have here.
Jochen
--- network-stream.el.orig 2016-02-11 17:26:06.000000000 +0100
+++ network-stream.el 2016-02-11 18:31:02.000000000 +0100
@@ -44,6 +44,7 @@
(require 'tls)
(require 'starttls)
+(require 'gssapi)
(require 'auth-source)
(autoload 'gnutls-negotiate "gnutls")
@@ -85,6 +86,7 @@
`tls' -- A TLS connection.
`ssl' -- Equivalent to `tls'.
`shell' -- A shell connection.
+ `gssapi' -- a GSSAPI connection.
:return-list specifies this function's return value.
If omitted or nil, return a process object. A non-nil means to
@@ -156,6 +158,7 @@
'network-stream-open-starttls)
((memq type '(tls ssl)) 'network-stream-open-tls)
((eq type 'shell) 'network-stream-open-shell)
+ ((eq type 'gssapi) 'network-stream-open-gssapi)
(t (error "Invalid connection type %s" type))))
result)
(unwind-protect
@@ -172,6 +175,24 @@
:error (nth 4 result))
(car result))))))
+(defun network-stream-open-gssapi (name buffer host service parameters)
+ (let* ((start (with-current-buffer buffer (point)))
+ (capability-command (plist-get parameters :capability-command))
+ (eoc (plist-get parameters :end-of-command))
+ (eo-capa (or (plist-get parameters :end-of-capability)
+ eoc))
+ (stream (open-gssapi-stream name buffer host service))
+ (greeting (network-stream-get-response stream start eoc))
+ (capabilities (when capability-command
+ (network-stream-command stream
+ capability-command
+ (or eo-capa eoc)))))
+ ;; Return (STREAM GREETING CAPABILITIES RESULTING-TYPE)
+ (list stream
+ greeting
+ capabilities
+ 'gssapi)))
+
(defun network-stream-certificate (host service parameters)
(let ((spec (plist-get :client-certificate parameters)))
(cond
diff --git a/lisp/gssapi.el b/lisp/gssapi.el
index 1f72805..08b2ec3 100644
--- a/lisp/gssapi.el
+++ b/lisp/gssapi.el
@@ -29,9 +29,8 @@
(defcustom gssapi-program (list
(concat "gsasl %s %p "
- "--mechanism GSSAPI "
- "--authentication-id %l")
- "imtest -m gssapi -u %l -p %p %s")
+ "--mechanism GSSAPI ")
+ "imtest -m gssapi -p %p %s")
"List of strings containing commands for GSSAPI (krb5) authentication.
%s is replaced with server hostname, %p with port to connect to,
and %l with the user name. The program should accept commands on
@@ -41,7 +40,7 @@ tried until a successful connection is made."
:group 'network
:type '(repeat string))
-(defun open-gssapi-stream (name buffer server port user)
+(defun open-gssapi-stream (name buffer server port)
(let ((cmds gssapi-program)
cmd done)
(with-current-buffer buffer
@@ -57,8 +56,7 @@ tried until a successful connection is made."
cmd
(format-spec-make
?s server
- ?p (number-to-string port)
- ?l user))))
+ ?p (number-to-string port)))))
response)
(when process
(while (and (memq (process-status process) '(open run))
@@ -92,7 +90,6 @@ tried until a successful connection is made."
(setq response (match-string 1)))))
(accept-process-output process 1)
(sit-for 1))
- (erase-buffer)
(message "GSSAPI connection: %s" (or response "failed"))
(if (and response (let ((case-fold-search nil))
(not (string-match "failed" response))))
diff --git a/lisp/nnimap.el b/lisp/nnimap.el
index 05251ed..2eca2b4 100644
--- a/lisp/nnimap.el
+++ b/lisp/nnimap.el
@@ -65,7 +65,7 @@ it will default to `imap'.")
(defvoo nnimap-stream 'undecided
"How nnimap talks to the IMAP server.
The value should be either `undecided', `ssl' or `tls',
-`network', `starttls', `plain', or `shell'.
+`network', `starttls', `plain', `gssapi', or `shell'.
If the value is `undecided', nnimap tries `ssl' first, then falls
back on `network'.")
@@ -408,6 +408,10 @@ textual parts.")
(nnheader-message 7 "Opening connection to %s via shell..."
nnimap-address)
'("imap"))
+ ((eq nnimap-stream 'gssapi)
+ (nnheader-message 7 "Opening connection to %s via GSSAPI..."
+ nnimap-address)
+ '(143))
((memq nnimap-stream '(ssl tls))
(nnheader-message 7 "Opening connection to %s via tls..."
nnimap-address)
@@ -463,7 +467,9 @@ textual parts.")
(setf (nnimap-capabilities nnimap-object)
(mapcar #'upcase
(split-string capabilities)))
- (unless (gnus-string-match-p "[*.] PREAUTH" greeting)
+ (unless (or
+ (eq nnimap-stream 'gssapi)
+ (gnus-string-match-p "[*.] PREAUTH" greeting))
(if (not (setq credentials
(if (eq nnimap-authenticator 'anonymous)
(list "anonymous"
--
The only problem with troubleshooting is that the trouble shoots back.