help-gsasl
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: help with gssapi smtp auth


From: Simon Josefsson
Subject: Re: help with gssapi smtp auth
Date: Thu, 15 Dec 2005 17:35:26 +0100
User-agent: Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux)

"Umapati Singh" <address@hidden> writes:

> Thank You So Very Much!!!!
>
> As for the CC:ing, I thought of doing it myself, but didnt want everyone to
> know how dumb i am ;)
>
> Although, I am still a long way away from home :)

Hehe, don't worry, it will most likely help others in the future.

> Now, I have tried compiling msmtp and gnu's sasl too.  GNU SASL doesnt
> compile well for GSSAPI.  The error I get is :]
>
> while running ./configure in the beginning:
>       configure: checking for GSS implementation
>       configure: auto-detecing GSS/MIT/Heimdal
>       configure: use --enable-gssapi=IMPL to override
>       configure: where IMPL is `gss', `mit', or `heimdal'
>       checking for libgss... no
>       configure: WARNING: GNU GSS not found (see http://josefsson.org/gss/)...
>       checking for krb5-config... no
>       configure: WARNING: krb5-config not found, disabling GSSAPI
>       checking if GSSAPI should be used... no
>
> Thereafter, it flags off (using #) the GSSAPI functionality through the
> appropriate makefiles.  Turning them ON manually doesnt help.
> Also when i try to do a 'man gss_import_name", it says : No manual entry for
> gss_import_name

You need to install a GSS library first.

You can use my GNU GSS, or use the GSS-API library in MIT Kerberos or
Heimdal.  All three should work.

Another warning: GNU GSS require that you have installed GNU Shishi
first, since Shishi is the Kerberos V5 implementation used by GNU GSS.

> Also, I have tried the RFCs too, but as you yourself said, I found that
> implementing them would be time-consuming if not difficult.

Right.

> You have mentioned that NTLM would be less complex, but would you advise
> changing course now... i had completely ignored ntlm from day one coz i
> believe its Microsoft's proprietery implementation.

Depends.  Are you sure that your server really support GSSAPI
authentication?  Perhaps it claim to support it, but would never
actually let you in.  If so, NTLM may be your only choice.  Try
'tcpdump' a connection to the mail server with another mail client, if
you have any that can send mail through the server.

GSSAPI is technically superior, so if you are concerned with security,
you should try to make it work.  In contrast, NTLM is insecure.

> As of now, I am trying download the GNU GSS and see if that would help....

That's a good idea.  MIT Kerberos V5 or Heimdal may be more tested, so
if you run into problems, you could try them instead.  However, I'd be
happy to do what little I can to help you remotely to get it to work.

Regards,
Simon

> Meanwhile, I would appreciate if you could guide me further.
>
> Regards,
> Umapati
>
> P.S. Thanks for your efforts again!!!!
>
>
>
> -----Original Message-----
> From: Simon Josefsson [mailto:address@hidden
> Sent: Thursday, December 15, 2005 10:54 AM
> To: Umapati Singh
> Cc: address@hidden
> Subject: Re: help with gssapi smtp auth
>
>
> Hi again.  I'm Cc:ing the mailing list, in case others are interested,
> I hope you don't mind.
>
> The data are GSS-API blobs.  You could use GNU SASL to produce them.
> If you want to implement it all yourself, you need to implement these
> protocols:
>
> http://www.ietf.org/rfc/rfc1964.txt
> http://www.ietf.org/rfc/rfc2222.txt
> http://www.ietf.org/rfc/rfc2743.txt
> http://www.ietf.org/rfc/rfc2744.txt
>
> That is fairly complex, so it is probably easier to simply use GNU
> SASL for the SASL part, GNU GSS for the GSS-API part and GNU Shishi
> for the Kerberos V5 part.
>
> NTLM is slightly less complex, you would only need GNU SASL for the
> SASL part and Libntlm for the NTLM part.
>
> Hope this helps,
> Simon
>
> "Umapati Singh" <address@hidden> writes:
>
>> also, could you please elaborate on the messages that you passed after
> AUTH
>> GSSAPI.  its not simple base64 encoded username and password, i see.  so
>> where did u exactly these strings from.....  i hope im coherent....
>>
>> waiting eagerly for an arly reponse,
>> umapati
>>
>> -----Original Message-----
>> From: Simon Josefsson [mailto:address@hidden
>> Sent: Thursday, December 15, 2005 4:41 AM
>> To: Umapati Singh
>> Cc: address@hidden
>> Subject: Re: help with gssapi smtp auth
>>
>>
>> "Umapati Singh" <address@hidden> writes:
>>
>>> Hi all,
>>>
>>> I am trying to obtain STMP AUTH using the gssapi mechanism.  Can anyone
>>> please provide me with a sample/screesnshot for  a gssapi session so that
>>> i could know what messages and in what order do they need to be passed.
>>
>> Hi!  Below is the output from GNU SASL connecting to a SMTP server,
>> upgrading the connection to TLS (using GnuTLS) and authenticating
>> using the Kerberos V5 implementation in GNU Shishi via GNU GSS.  I
>> think the SMTP server is Sendmail linked to Heimdal.
>>
>> Other GSS-API implementations, such as MIT Kerberos, Heimdal or Sun's,
>> should work too.
>>
>> Hope this helps,
>> Simon
>>
>> PS.  The 'libshishi' warning below is because the server is using
>> buggy Kerberos V5 libraries.
>>
>> address@hidden:~$ gsasl --smtp smtp.nada.kth.se
>> Trying `smtp.nada.kth.se'...
>> 220 smtp.nada.kth.se ESMTP Sendmail 8.12.11/8.12.11; Thu, 15 Dec 2005
>> 10:35:07 +0100 (MET)
>> EHLO [127.0.0.1]
>> 250-smtp.nada.kth.se Hello h14n1c1o1033.bredband.skanova.com
>> [81.225.104.14], pleased to meet you
>> 250-ENHANCEDSTATUSCODES
>> 250-PIPELINING
>> 250-8BITMIME
>> 250-SIZE
>> 250-DSN
>> 250-AUTH GSSAPI
>> 250-STARTTLS
>> 250-DELIVERBY
>> 250 HELP
>> STARTTLS
>> 220 2.0.0 Ready to start TLS
>> EHLO [127.0.0.1]
>> 250-smtp.nada.kth.se Hello h14n1c1o1033.bredband.skanova.com
>> [81.225.104.14], pleased to meet you
>> 250-ENHANCEDSTATUSCODES
>> 250-PIPELINING
>> 250-8BITMIME
>> 250-SIZE
>> 250-DSN
>> 250-AUTH GSSAPI PLAIN
>> 250-DELIVERBY
>> 250 HELP
>> AUTH GSSAPI
>> 334
>> libshishi: warning: KDC bug: Reply encrypted using wrong key.
>>
> YIICEQYJKoZIhvcSAQICAQBuggIAMIIB/KADAgEFoQMCAQ6iBwMFACAAAACjggETYYIBDzCCAQug
>>
> AwIBBaENGwtOQURBLktUSC5TRaIjMCGgAwIBAaEaMBgbBHNtdHAbEHNtdHAubmFkYS5rdGguc2Wj
>>
> gc8wgcygAwIBEKEDAgEJooG/BIG8msq2xygko4Lv0Agu5pW6SEundUbFK5swuopukvx9kTidWULb
>>
> /Ab490wQbtnKx3lmM3BFvNFvuUyD3zvh9PHggwz7T7eZYSCDaovIL/QZ0ismF3lZejZBSwBhgLDA
>>
> DQuk4nZHbbeoU9Lk+1jzsMJguNh6Ot3G6o8WLqFZoe8pi3NuxzSdjutjg3O9s/fasuSB9T85bq6o
>>
> IMWGr5HHRNBNUF4x11tK3ytpsVoMNpKng3d4bY8tLgnxxLCmREakgc8wgcygAwIBEKEDAgEBooG/
>>
> BIG8SPCDQwKGzJfZGg+MgqQquBiGBXA2uy/08gPE19vuTBP7XyL2H4EaVqtl71MeVxExbat/CNAK
>>
> 3dMXkNqR6VHxZqb+ky8MYMDo452Z1sN6BfIsKcsy2BcYTwFJMtgdn21vTWVHtMPH3wtXPuPFGn3j
>>
> igjsXiAyytXi1Y4p4Tni+ox5ndlZuqBJGeThVxyZIpCEI+5rWflxDIYVa/8CAcRUPQqoDpQIs5zk
>> wfoPQtTdfRLdph5VxQ79N9PnvnQ=
>> 334
>>
> YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgRE2FBXYUbT0MVIicgLYE/F
>> Ky6CcrvfQxZaoxyt05qqxJBL13kqneza/TKe5i0mjsN0Nc90KW/l4rL0eQ76vWMenaE1Lw8=
>>
>> 334
>>
> YD8GCSqGSIb3EgECAgIBBAD/////IGqNk7Rz3+kPdzT9oYPRWnQi/ESL0p3EeQ2yNLWArrmdOzxp
>> BwAgAAQEBAQ=
>> Using system username `jas' as authentication identity.
>>
> YD8GCSqGSIb3EgECAgIBBAD/////JhNtx+GhzYe54NY92BltbUHD6i02upmatfXUnIGrBR5vT5yu
>> AQAgAGphcwE=
>> 235 2.0.0 OK Authenticated
>> Client authentication finished (server trusted)...
>> Enter application data (EOF to finish):
>> quit
>> 221 2.0.0 smtp.nada.kth.se closing connection
>> Session finished...
>> QUIT
>> address@hidden:~$




reply via email to

[Prev in Thread] Current Thread [Next in Thread]