help-gsasl
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: help with gssapi smtp auth


From: Simon Josefsson
Subject: Re: help with gssapi smtp auth
Date: Fri, 16 Dec 2005 12:00:37 +0100
User-agent: Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux)

"Umapati Singh" <address@hidden> writes:

> Now i am getting all confused....
>
> first things first... i am done with GNU GSS and LibNTLM.... its installed
> fine.  I am trying to run the client and it says :
>       Authentication error (58): Authentication failed because the service 
> name
> was not provided.
> i ran client-mech and it asks for :
>       Input base64 encoded data from server:<<<< what do i input here...

Those are examples, you will need to look at the source code and adapt
them to your need.  They are intended to be read as source code, and
not run directly.  The data request above is the data sent by the
server, you would have to write a tool that connect to your SMTP
server and then feed the library with data you receive.  You need to
have read RFC 2554 to be able to write this tool:

http://www.ietf.org/rfc/rfc2554.txt

Try "gsasl --smtp your.smtp.server.hostname" as in my example earlier,
the "gsasl" tool is intended to be invoked directly.  Of course, this
will only get you a bare authenticated network connection.  If you
want to send mail automatically, without having to write a tool of
your own, look at Martin's MSMTP.

Regards,
Simon

> Thanks....
>
>
> -----Original Message-----
> From: Simon Josefsson [mailto:address@hidden
> Sent: Thursday, December 15, 2005 12:38 PM
> To: Umapati Singh
> Cc: address@hidden
> Subject: Re: help with gssapi smtp auth
>
>
> NTLM can be used for authentication in several protocols, libntlm was
> designed for IMAP but it will (through GNU SASL) work for SMTP as
> well.
>
> Be aware that Libntlm is rather poorly written (I didn't write it).
>
> Regards,
> Simon
>
> "Umapati Singh" <address@hidden> writes:
>
>> a quick question : the README of Libntlm (downloaded from
>> http://josefsson.org/libntlm/) has a sample code for imap and says :
>> "The application program must convert these structures to/from base64
> which
>> is used to transfer data for IMAP authentication."
>>
>> Does that mean i cant use it for SMTP AUTH???  i may sound a little
> deranged
>> but its just that i dont want to think of anything other than SMTP AUTH.
>>
>> Trying to keep pace... please bear with me!!!!
>>
>> Regards,
>> Umapati
>>
>>
>> -----Original Message-----
>> From: Simon Josefsson [mailto:address@hidden
>> Sent: Thursday, December 15, 2005 12:14 PM
>> To: Umapati Singh
>> Cc: address@hidden
>> Subject: Re: help with gssapi smtp auth
>>
>>
>> "Umapati Singh" <address@hidden> writes:
>>
>>> Dear Sir,
>>>
>>> I will tell you reason behind the sudden courtesy.  I never realised the
>>> resemblence of your last name with this website
> http://josefsson.org/gss/.
>>> Only then I realised, who I was speaking to. Indeed I am a late entrant
>> into
>>> the FSF/GNU arena.
>>>
>>> Once again, I thank you for your patience.
>>>
>>> Now that I know my question is in safe hands, you cant imagine how
>> relieved
>>> i feel.
>>>
>>> So, here we go ....
>>>
>>> I installed your GNU GSS and ran configure.... and as you said it did
> fail
>>> because i didnt know it needed shishi/kerberos... so could you tell me
>> where
>>> to get the exact/appropriate version from.
>>
>> Hi again.  See http://josefsson.org/shishi/
>>
>>> Meanwhile I am trying to install every rpm that has krb in
>>> it.... using aptitude.
>>
>> That will likely be easier than getting Shishi and GSS up and running,
>> and will solve your problem faster than installing GNU Shishi and GNU
>> GSS.  Make sure you get packages that include "gssapi.h" and a
>> libgssapi*.so.
>>
>> Of course, I'd like to believe that my implementations are superior to
>> others out there, but I acknowledge that Shishi and GSS are not as
>> mature as MIT Kerberos or Heimdal, so depending on your needs, you may
>> be better of with MIT Kerberos or Heimdal.
>>
>>> Also, let me see if i understand this correctly, you are saying i am
> still
>>> good to go with ntlm.... do you thing with where i am now, i still have a
>>> long way to go...
>>>
>>> but anyways, i will try to start on ntlm too...
>>
>> You need to install libntlm before installing GNU SASL, otherwise
>> gsasl will not enable libntlm.  Get libntlm from:
>>
>> http://josefsson.org/libntlm/
>>
>>> thanks and regards,
>>> umapati
>>>
>>> P.S. HAIL SIMON!!!!!!
>>
>> Good luck,
>> Simon
>>
>>>
>>>
>>> -----Original Message-----
>>> From: Simon Josefsson [mailto:address@hidden
>>> Sent: Thursday, December 15, 2005 11:35 AM
>>> To: Umapati Singh
>>> Cc: address@hidden
>>> Subject: Re: help with gssapi smtp auth
>>>
>>>
>>> "Umapati Singh" <address@hidden> writes:
>>>
>>>> Thank You So Very Much!!!!
>>>>
>>>> As for the CC:ing, I thought of doing it myself, but didnt want everyone
>>> to
>>>> know how dumb i am ;)
>>>>
>>>> Although, I am still a long way away from home :)
>>>
>>> Hehe, don't worry, it will most likely help others in the future.
>>>
>>>> Now, I have tried compiling msmtp and gnu's sasl too.  GNU SASL doesnt
>>>> compile well for GSSAPI.  The error I get is :]
>>>>
>>>> while running ./configure in the beginning:
>>>>    configure: checking for GSS implementation
>>>>    configure: auto-detecing GSS/MIT/Heimdal
>>>>    configure: use --enable-gssapi=IMPL to override
>>>>    configure: where IMPL is `gss', `mit', or `heimdal'
>>>>    checking for libgss... no
>>>>    configure: WARNING: GNU GSS not found (see
> http://josefsson.org/gss/)...
>>>>    checking for krb5-config... no
>>>>    configure: WARNING: krb5-config not found, disabling GSSAPI
>>>>    checking if GSSAPI should be used... no
>>>>
>>>> Thereafter, it flags off (using #) the GSSAPI functionality through the
>>>> appropriate makefiles.  Turning them ON manually doesnt help.
>>>> Also when i try to do a 'man gss_import_name", it says : No manual entry
>>> for
>>>> gss_import_name
>>>
>>> You need to install a GSS library first.
>>>
>>> You can use my GNU GSS, or use the GSS-API library in MIT Kerberos or
>>> Heimdal.  All three should work.
>>>
>>> Another warning: GNU GSS require that you have installed GNU Shishi
>>> first, since Shishi is the Kerberos V5 implementation used by GNU GSS.
>>>
>>>> Also, I have tried the RFCs too, but as you yourself said, I found that
>>>> implementing them would be time-consuming if not difficult.
>>>
>>> Right.
>>>
>>>> You have mentioned that NTLM would be less complex, but would you advise
>>>> changing course now... i had completely ignored ntlm from day one coz i
>>>> believe its Microsoft's proprietery implementation.
>>>
>>> Depends.  Are you sure that your server really support GSSAPI
>>> authentication?  Perhaps it claim to support it, but would never
>>> actually let you in.  If so, NTLM may be your only choice.  Try
>>> 'tcpdump' a connection to the mail server with another mail client, if
>>> you have any that can send mail through the server.
>>>
>>> GSSAPI is technically superior, so if you are concerned with security,
>>> you should try to make it work.  In contrast, NTLM is insecure.
>>>
>>>> As of now, I am trying download the GNU GSS and see if that would
>> help....
>>>
>>> That's a good idea.  MIT Kerberos V5 or Heimdal may be more tested, so
>>> if you run into problems, you could try them instead.  However, I'd be
>>> happy to do what little I can to help you remotely to get it to work.
>>>
>>> Regards,
>>> Simon
>>>
>>>> Meanwhile, I would appreciate if you could guide me further.
>>>>
>>>> Regards,
>>>> Umapati
>>>>
>>>> P.S. Thanks for your efforts again!!!!
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Simon Josefsson [mailto:address@hidden
>>>> Sent: Thursday, December 15, 2005 10:54 AM
>>>> To: Umapati Singh
>>>> Cc: address@hidden
>>>> Subject: Re: help with gssapi smtp auth
>>>>
>>>>
>>>> Hi again.  I'm Cc:ing the mailing list, in case others are interested,
>>>> I hope you don't mind.
>>>>
>>>> The data are GSS-API blobs.  You could use GNU SASL to produce them.
>>>> If you want to implement it all yourself, you need to implement these
>>>> protocols:
>>>>
>>>> http://www.ietf.org/rfc/rfc1964.txt
>>>> http://www.ietf.org/rfc/rfc2222.txt
>>>> http://www.ietf.org/rfc/rfc2743.txt
>>>> http://www.ietf.org/rfc/rfc2744.txt
>>>>
>>>> That is fairly complex, so it is probably easier to simply use GNU
>>>> SASL for the SASL part, GNU GSS for the GSS-API part and GNU Shishi
>>>> for the Kerberos V5 part.
>>>>
>>>> NTLM is slightly less complex, you would only need GNU SASL for the
>>>> SASL part and Libntlm for the NTLM part.
>>>>
>>>> Hope this helps,
>>>> Simon
>>>>
>>>> "Umapati Singh" <address@hidden> writes:
>>>>
>>>>> also, could you please elaborate on the messages that you passed after
>>>> AUTH
>>>>> GSSAPI.  its not simple base64 encoded username and password, i see.
> so
>>>>> where did u exactly these strings from.....  i hope im coherent....
>>>>>
>>>>> waiting eagerly for an arly reponse,
>>>>> umapati
>>>>>
>>>>> -----Original Message-----
>>>>> From: Simon Josefsson [mailto:address@hidden
>>>>> Sent: Thursday, December 15, 2005 4:41 AM
>>>>> To: Umapati Singh
>>>>> Cc: address@hidden
>>>>> Subject: Re: help with gssapi smtp auth
>>>>>
>>>>>
>>>>> "Umapati Singh" <address@hidden> writes:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I am trying to obtain STMP AUTH using the gssapi mechanism.  Can
> anyone
>>>>>> please provide me with a sample/screesnshot for  a gssapi session so
>>> that
>>>>>> i could know what messages and in what order do they need to be
> passed.
>>>>>
>>>>> Hi!  Below is the output from GNU SASL connecting to a SMTP server,
>>>>> upgrading the connection to TLS (using GnuTLS) and authenticating
>>>>> using the Kerberos V5 implementation in GNU Shishi via GNU GSS.  I
>>>>> think the SMTP server is Sendmail linked to Heimdal.
>>>>>
>>>>> Other GSS-API implementations, such as MIT Kerberos, Heimdal or Sun's,
>>>>> should work too.
>>>>>
>>>>> Hope this helps,
>>>>> Simon
>>>>>
>>>>> PS.  The 'libshishi' warning below is because the server is using
>>>>> buggy Kerberos V5 libraries.
>>>>>
>>>>> address@hidden:~$ gsasl --smtp smtp.nada.kth.se
>>>>> Trying `smtp.nada.kth.se'...
>>>>> 220 smtp.nada.kth.se ESMTP Sendmail 8.12.11/8.12.11; Thu, 15 Dec 2005
>>>>> 10:35:07 +0100 (MET)
>>>>> EHLO [127.0.0.1]
>>>>> 250-smtp.nada.kth.se Hello h14n1c1o1033.bredband.skanova.com
>>>>> [81.225.104.14], pleased to meet you
>>>>> 250-ENHANCEDSTATUSCODES
>>>>> 250-PIPELINING
>>>>> 250-8BITMIME
>>>>> 250-SIZE
>>>>> 250-DSN
>>>>> 250-AUTH GSSAPI
>>>>> 250-STARTTLS
>>>>> 250-DELIVERBY
>>>>> 250 HELP
>>>>> STARTTLS
>>>>> 220 2.0.0 Ready to start TLS
>>>>> EHLO [127.0.0.1]
>>>>> 250-smtp.nada.kth.se Hello h14n1c1o1033.bredband.skanova.com
>>>>> [81.225.104.14], pleased to meet you
>>>>> 250-ENHANCEDSTATUSCODES
>>>>> 250-PIPELINING
>>>>> 250-8BITMIME
>>>>> 250-SIZE
>>>>> 250-DSN
>>>>> 250-AUTH GSSAPI PLAIN
>>>>> 250-DELIVERBY
>>>>> 250 HELP
>>>>> AUTH GSSAPI
>>>>> 334
>>>>> libshishi: warning: KDC bug: Reply encrypted using wrong key.
>>>>>
>>>>
>>>
>>
> YIICEQYJKoZIhvcSAQICAQBuggIAMIIB/KADAgEFoQMCAQ6iBwMFACAAAACjggETYYIBDzCCAQug
>>>>>
>>>>
>>>
>>
> AwIBBaENGwtOQURBLktUSC5TRaIjMCGgAwIBAaEaMBgbBHNtdHAbEHNtdHAubmFkYS5rdGguc2Wj
>>>>>
>>>>
>>>
>>
> gc8wgcygAwIBEKEDAgEJooG/BIG8msq2xygko4Lv0Agu5pW6SEundUbFK5swuopukvx9kTidWULb
>>>>>
>>>>
>>>
>>
> /Ab490wQbtnKx3lmM3BFvNFvuUyD3zvh9PHggwz7T7eZYSCDaovIL/QZ0ismF3lZejZBSwBhgLDA
>>>>>
>>>>
>>>
>>
> DQuk4nZHbbeoU9Lk+1jzsMJguNh6Ot3G6o8WLqFZoe8pi3NuxzSdjutjg3O9s/fasuSB9T85bq6o
>>>>>
>>>>
>>>
>>
> IMWGr5HHRNBNUF4x11tK3ytpsVoMNpKng3d4bY8tLgnxxLCmREakgc8wgcygAwIBEKEDAgEBooG/
>>>>>
>>>>
>>>
>>
> BIG8SPCDQwKGzJfZGg+MgqQquBiGBXA2uy/08gPE19vuTBP7XyL2H4EaVqtl71MeVxExbat/CNAK
>>>>>
>>>>
>>>
>>
> 3dMXkNqR6VHxZqb+ky8MYMDo452Z1sN6BfIsKcsy2BcYTwFJMtgdn21vTWVHtMPH3wtXPuPFGn3j
>>>>>
>>>>
>>>
>>
> igjsXiAyytXi1Y4p4Tni+ox5ndlZuqBJGeThVxyZIpCEI+5rWflxDIYVa/8CAcRUPQqoDpQIs5zk
>>>>> wfoPQtTdfRLdph5VxQ79N9PnvnQ=
>>>>> 334
>>>>>
>>>>
>>>
>>
> YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgRE2FBXYUbT0MVIicgLYE/F
>>>>>
> Ky6CcrvfQxZaoxyt05qqxJBL13kqneza/TKe5i0mjsN0Nc90KW/l4rL0eQ76vWMenaE1Lw8=
>>>>>
>>>>> 334
>>>>>
>>>>
>>>
>>
> YD8GCSqGSIb3EgECAgIBBAD/////IGqNk7Rz3+kPdzT9oYPRWnQi/ESL0p3EeQ2yNLWArrmdOzxp
>>>>> BwAgAAQEBAQ=
>>>>> Using system username `jas' as authentication identity.
>>>>>
>>>>
>>>
>>
> YD8GCSqGSIb3EgECAgIBBAD/////JhNtx+GhzYe54NY92BltbUHD6i02upmatfXUnIGrBR5vT5yu
>>>>> AQAgAGphcwE=
>>>>> 235 2.0.0 OK Authenticated
>>>>> Client authentication finished (server trusted)...
>>>>> Enter application data (EOF to finish):
>>>>> quit
>>>>> 221 2.0.0 smtp.nada.kth.se closing connection
>>>>> Session finished...
>>>>> QUIT
>>>>> address@hidden:~$




reply via email to

[Prev in Thread] Current Thread [Next in Thread]