diff options
| author | Eric S. Raymond <esr@thyrsus.com> | 1998-03-03 21:22:36 +0000 |
|---|---|---|
| committer | Eric S. Raymond <esr@thyrsus.com> | 1998-03-03 21:22:36 +0000 |
| commit | 6421b138290aeecda414de1c753ace9d04681f7c (patch) | |
| tree | 4facf1555bb3adc7028734a8f5c201b4c3c4a896 | |
| parent | e82d0241ff7d9a09e30776dc37b97d49c1ca531a (diff) | |
| download | fetchmail-6421b138290aeecda414de1c753ace9d04681f7c.tar.gz fetchmail-6421b138290aeecda414de1c753ace9d04681f7c.tar.bz2 fetchmail-6421b138290aeecda414de1c753ace9d04681f7c.zip | |
Kerberos V support.
svn path=/trunk/; revision=1682
| -rw-r--r-- | INSTALL | 8 | ||||
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | configure.in | 25 | ||||
| -rw-r--r-- | driver.c | 89 | ||||
| -rw-r--r-- | fetchmail-features.html | 6 | ||||
| -rw-r--r-- | fetchmail.c | 14 | ||||
| -rw-r--r-- | fetchmail.h | 1 | ||||
| -rw-r--r-- | fetchmail.man | 14 | ||||
| -rw-r--r-- | options.c | 10 | ||||
| -rw-r--r-- | rcfile_l.l | 3 | ||||
| -rw-r--r-- | rcfile_y.y | 14 | ||||
| -rw-r--r-- | sample.rcfile | 1 |
12 files changed, 169 insertions, 22 deletions
@@ -70,10 +70,10 @@ will do that. Advanced configuration: -Specifying --with-kerberos=DIR will tell the fetchmail build process to -look in DIR for Kerberos support. Configure normally looks in /usr/kerberos -and /usr/athena; if you specify this option with an argument it will look -in DIR first. +Specifying --with-kerberos=DIR or --with-kerberos5=DIR will tell the +fetchmail build process to look in DIR for Kerberos support. +Configure normally looks in /usr/kerberos and /usr/athena; if you +specify this option with an argument it will look in DIR first. Unfortunately, there doesn't seem to be good standardization of where Kerberos lives. If your configuration doesn't match one of the four @@ -11,10 +11,6 @@ * Make the antispam response configurable. * Handle multi-homed hosts correctly. - Other TO-DO items: - -* Get with Craig Metz to write a draft RFC on RFC1938 support in IMAP. - Release Notes: ------------------------------------------------------------------------------ @@ -22,6 +18,8 @@ fetchmail-4.4.0 (): * Relax the LOGIN capability check in IMAP. * John Stracke <francis@netscape.com> sent a workaround for SIGALRM flakiness under Red Hat 5.0. +* Kerberos V support from Jon Dugan <jdugan@ncsa.uiuc.edu> and + Von Welch <vwelch@ncsa.uiuc.edu>. There are 269 people on fetchmail-friends and 144 on fetchmail-announce. diff --git a/configure.in b/configure.in index 8fd6d8e7..b9354b94 100644 --- a/configure.in +++ b/configure.in @@ -265,6 +265,31 @@ else done fi +### use option --with-kerberos5=DIR to point at a Kerberos 5 directory +AC_ARG_WITH(kerberos5, + [ --with-kerberos5=DIR point fetchmail compilation at a Kerberos 5 directory]) + +# The "then" arm (nonempty $with_kerberos5) is kind of a crock. It works for +# configuring the BSD/OS Kerberos IV support, though. +if test "$with_kerberos5" != "yes" +then + # Path given + CEFLAGS="$CEFLAGS -DKERBEROS_V5 -I$with_kerberos5/include" + LDEFLAGS="$LDEFLAGS -L$with_kerberos5/lib" + LIBS="$LIBS -lkrb5 -lcrypto -lcom_err" +else + for dir in /usr/kerberos /usr/local/krb5 /usr/athena + do + if test -f "$dir/include/krb5.h" + then + CEFLAGS="$CEFLAGS -DKERBEROS_V5 -I$dir/include" + LDEFLAGS="$LDEFLAGS -L$dir/lib" + LIBS="$LIBS -lkrb5 -lcrypto -lcom_err" + break + fi + done +fi + AC_OUTPUT(Makefile, [ # The reason for this odd makedepend line is that we want # to have all dependencies evaluated relative to the source directory @@ -66,6 +66,11 @@ #include <netinet/in.h> #include <netdb.h> #endif /* KERBEROS_V4 */ +#ifdef KERBEROS_V5 +#include <krb5.h> +#include <com_err.h> +#endif /* KEREROS_V5 */ + #include "fetchmail.h" #include "socket.h" #include "smtp.h" @@ -1593,6 +1598,72 @@ const char *canonical; /* server name */ } #endif /* KERBEROS_V4 */ +#ifdef KERBEROS_V5 +int +kerberos5_auth(socket, canonical) +/* authernticate to the server host using Kerberos V5 */ +int socket; /* socket to server host */ +const char *canonical; /* server name */ +{ + krb5_error_code retval; + krb5_context context; + krb5_ccache ccdef; + krb5_principal client = NULL, server = NULL; + krb5_error *err_ret = NULL; + + krb5_auth_context auth_context = NULL; + + krb5_init_context(&context); + krb5_init_ets(context); + krb5_auth_con_init(context, &auth_context); + + if (retval = krb5_cc_default(context, &ccdef)) { + error(0, 0, "krb5_cc_default: %s", error_message(retval)); + return(PS_ERROR); + } + + if (retval = krb5_cc_get_principal(context, ccdef, &client)) { + error(0, 0, "krb5_cc_get_principal: %s", error_message(retval)); + return(PS_ERROR); + } + + if (retval = krb5_sname_to_principal(context, canonical, "pop", + KRB5_NT_UNKNOWN, + &server)) { + error(0, 0, "krb5_sname_to_principal: %s", error_message(retval)); + return(PS_ERROR); + } + + retval = krb5_sendauth(context, &auth_context, (krb5_pointer) &socket, + "KPOPV1.0", client, server, + AP_OPTS_MUTUAL_REQUIRED, + NULL, /* no data to checksum */ + 0, /* no creds, use ccache instead */ + ccdef, + &err_ret, 0, + + NULL); /* don't need reply */ + + krb5_free_principal(context, server); + krb5_free_principal(context, client); + krb5_auth_con_free(context, auth_context); + + if (retval) { + if (err_ret && err_ret->text.length) { + error(0, 0, "krb5_sendauth: %s [server says '%*s'] ", + error_message(retval), + err_ret->text.length, + err_ret->text.data); + krb5_free_error(context, err_ret); + } else + error(0, 0, "krb5_sendauth: %s", error_message(retval)); + return(PS_ERROR); + } + + return 0; +} +#endif /* KERBEROS_V5 */ + int do_protocol(ctl, proto) /* retrieve messages from server using given protocol method table */ struct query *ctl; /* parsed options with merged-in defaults */ @@ -1610,6 +1681,14 @@ const struct method *proto; /* protocol method table */ } #endif /* KERBEROS_V4 */ +#ifndef KERBEROS_V5 + if (ctl->server.preauthenticate == A_KERBEROS_V5) + { + error(0, -1, "Kerberos V5 support not linked."); + return(PS_ERROR); + } +#endif /* KERBEROS_V5 */ + /* lacking methods, there are some options that may fail */ if (!proto->is_old) { @@ -1738,6 +1817,16 @@ const struct method *proto; /* protocol method table */ } #endif /* KERBEROS_V4 */ +#ifdef KERBEROS_V5 + if (ctl->server.preauthenticate == A_KERBEROS_V5) + { + ok = kerberos5_auth(sock, ctl->server.truename); + if (ok != 0) + goto cleanUp; + set_timeout(ctl->server.timeout); + } +#endif /* KERBEROS_V5 */ + /* accept greeting message from mail server */ ok = (protocol->parse_response)(sock, buf); if (ok != 0) diff --git a/fetchmail-features.html b/fetchmail-features.html index 295f1e36..42cbcf87 100644 --- a/fetchmail-features.html +++ b/fetchmail-features.html @@ -10,7 +10,7 @@ <table width="100%" cellpadding=0><tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a> <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a> -<td width="30%" align=right>$Date: 1998/02/24 20:55:14 $ +<td width="30%" align=right>$Date: 1998/03/03 21:22:31 $ </table> <HR> @@ -21,6 +21,8 @@ are listed first. <P> <H2>Since 4.0:</H2> <UL> +<LI> Support for Kerberos V authentication. + <LI> Support for IMAP-OTP authentication using Craig Metz's patches for UW IMAP. @@ -139,7 +141,7 @@ get-mail, gwpop, pimp-1.0, pop-perl5-1.2, popc, popmail-1.6 and upop.<P> <table width="100%" cellpadding=0><tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a> <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a> -<td width="30%" align=right>$Date: 1998/02/24 20:55:14 $ +<td width="30%" align=right>$Date: 1998/03/03 21:22:31 $ </table> <P><ADDRESS>Eric S. Raymond <A HREF="mailto:esr@thyrsus.com"><esr@snark.thyrsus.com></A></ADDRESS> diff --git a/fetchmail.c b/fetchmail.c index 629a95af..7c4be484 100644 --- a/fetchmail.c +++ b/fetchmail.c @@ -325,7 +325,10 @@ int main (int argc, char **argv) for (ctl = querylist; ctl; ctl = ctl->next) if (ctl->active && !(implicitmode && ctl->server.skip)&&!ctl->password) { - if (ctl->server.preauthenticate == A_KERBEROS_V4 || ctl->server.protocol == P_IMAP_K4 || ctl->server.protocol == P_IMAP_GSS) + if (ctl->server.preauthenticate == A_KERBEROS_V4 || + ctl->server.preauthenticate == A_KERBEROS_V5 || + ctl->server.protocol == P_IMAP_K4 || + ctl->server.protocol == P_IMAP_GSS) /* Server won't care what the password is, but there must be some non-null string here. */ ctl->password = ctl->remotename; @@ -450,7 +453,9 @@ int main (int argc, char **argv) * nameserver is still up. The multidrop case * (especially) needs it. */ - if (ctl->server.preauthenticate==A_KERBEROS_V4 || MULTIDROP(ctl)) + if (ctl->server.preauthenticate==A_KERBEROS_V4 || + ctl->server.preauthenticate==A_KERBEROS_V5 || + MULTIDROP(ctl)) { struct hostent *namerec; @@ -997,7 +1002,8 @@ void dump_params (struct query *ctl) #else /* INET6 */ && ctl->server.port == KPOP_PORT #endif /* INET6 */ - && ctl->server.preauthenticate == A_KERBEROS_V4) + && (ctl->server.preauthenticate == A_KERBEROS_V4 || + ctl->server.preauthenticate == A_KERBEROS_V5)) printf(" Protocol is KPOP"); else printf(" Protocol is %s", showproto(ctl->server.protocol)); @@ -1018,6 +1024,8 @@ void dump_params (struct query *ctl) putchar('\n'); if (ctl->server.preauthenticate == A_KERBEROS_V4) printf(" Kerberos V4 preauthentication enabled.\n"); + if (ctl->server.preauthenticate == A_KERBEROS_V5) + printf(" Kerberos V5 preauthentication enabled.\n"); if (ctl->server.timeout > 0) printf(" Server nonresponse timeout is %d seconds", ctl->server.timeout); if (ctl->server.timeout == CLIENT_TIMEOUT) diff --git a/fetchmail.h b/fetchmail.h index 021df036..b7eefb5b 100644 --- a/fetchmail.h +++ b/fetchmail.h @@ -22,6 +22,7 @@ /* preauthentication types */ #define A_PASSWORD 0 /* password or inline authentication */ #define A_KERBEROS_V4 1 /* preauthenticate w/ Kerberos V4 */ +#define A_KERBEROS_V5 2 /* preauthenticate w/ Kerberos V5 */ /* * Definitions for buffer sizes. We get little help on setting maxima diff --git a/fetchmail.man b/fetchmail.man index a339dea7..deded9db 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -328,16 +328,16 @@ no other activity has occurred on the link, then the poll will be skipped. This option is currently only supported under Linux. .TP .B \-A, --auth -(Keyword: auth[enticate]) +(Keyword: auth[enticate]) This option permits you to specify a preauthentication type (see USER AUTHENTICATION below for details). The possible values are -\&`\fBpassword\fR' and `\fBkerberos\fR' (or, for excruciating -exactness, `\fBkerberos_v4\fR'). This option is provided +\&`\fBpassword\fR', `\fBkerberos_v5\fR' and `\fBkerberos\fR' (or, for +excruciating exactness, `\fBkerberos_v4\fR'). This option is provided primarily for developers; choosing KPOP protocol automatically selects -Kerberos preauthentication, and all other alternatives use -password authentication (though APOP uses a generated one-time -key as the password and IMAP-K4 uses RFC1731 Kerberos v4 authentication). -This option does not work with ETRN. +Kerberos preauthentication, and all other alternatives use password +authentication (though APOP uses a generated one-time key as the +password and IMAP-K4 uses RFC1731 Kerberos v4 authentication). This +option does not work with ETRN. .SS Miscellaneous Options .TP .B \-f pathname, --fetchmailrc pathname @@ -211,7 +211,11 @@ struct query *ctl; /* option record to be initialized */ #else /* INET6 */ ctl->server.port = KPOP_PORT; #endif /* INET6 */ +#ifdef KERBEROS_V5 + ctl->server.preauthenticate = A_KERBEROS_V5; +#else ctl->server.preauthenticate = A_KERBEROS_V4; +#endif /* KERBEROS_V5 */ } else if (strcasecmp(optarg,"imap") == 0) ctl->server.protocol = P_IMAP; @@ -243,9 +247,15 @@ struct query *ctl; /* option record to be initialized */ if (strcmp(optarg, "password") == 0) ctl->server.preauthenticate = A_PASSWORD; else if (strcmp(optarg, "kerberos") == 0) +#ifdef KERBEROS_V5 + ctl->server.preauthenticate = A_KERBEROS_V5; + else if (strcmp(optarg, "kerberos_v5") == 0) + ctl->server.preauthenticate = A_KERBEROS_V5; +#else ctl->server.preauthenticate = A_KERBEROS_V4; else if (strcmp(optarg, "kerberos_v4") == 0) ctl->server.preauthenticate = A_KERBEROS_V4; +#endif /* KERBEROS_V5 */ else { fprintf(stderr,"Invalid preauthentication `%s' specified.\n", optarg); errflag++; @@ -40,7 +40,8 @@ port { return PORT; } interval { return INTERVAL; } auth(enticate)? { return AUTHENTICATE; } kerberos_v4 { return KERBEROS4; } -kerberos { return KERBEROS4; } +kerberos { return KERBEROS; } +kerberos_v5 { return KERBEROS5; } timeout { return TIMEOUT;} envelope { return ENVELOPE; } qvirtual { return QVIRTUAL; } @@ -62,7 +62,7 @@ extern char * yytext; } %token DEFAULTS POLL SKIP VIA AKA LOCALDOMAINS PROTOCOL -%token AUTHENTICATE TIMEOUT KPOP KERBEROS4 +%token AUTHENTICATE TIMEOUT KPOP KERBEROS4 KERBEROS5 KERBEROS %token ENVELOPE QVIRTUAL USERNAME PASSWORD FOLDER SMTPHOST MDA SMTPADDRESS %token PRECONNECT POSTCONNECT LIMIT %token IS HERE THERE TO MAP WILDCARD @@ -129,7 +129,11 @@ serv_option : AKA alias_list | PROTOCOL PROTO {current.server.protocol = $2;} | PROTOCOL KPOP { current.server.protocol = P_POP3; +#ifdef KERBEROS_V5 + current.server.preauthenticate = A_KERBEROS_V5; +#else current.server.preauthenticate = A_KERBEROS_V4; +#endif /* KERBEROS_V5 */ #if INET6 current.server.service = KPOP_PORT; #else /* INET6 */ @@ -151,6 +155,14 @@ serv_option : AKA alias_list | INTERVAL NUMBER {current.server.interval = $2;} | AUTHENTICATE PASSWORD {current.server.preauthenticate = A_PASSWORD;} | AUTHENTICATE KERBEROS4 {current.server.preauthenticate = A_KERBEROS_V4;} + | AUTHENTICATE KERBEROS5 {current.server.preauthenticate = A_KERBEROS_V5;} + | AUTHENTICATE KERBEROS { +#ifdef KERBEROS_V5 + current.server.preauthenticate = A_KERBEROS_V5; +#else + current.server.preauthenticate = A_KERBEROS_V4; +#endif /* KERBEROS_V5 */ + } | TIMEOUT NUMBER {current.server.timeout = $2;} | ENVELOPE NUMBER STRING diff --git a/sample.rcfile b/sample.rcfile index 5f284631..facb95c3 100644 --- a/sample.rcfile +++ b/sample.rcfile @@ -83,6 +83,7 @@ # Legal authentication types are # login # kerberos +# kerberos_v5 # # Legal global option statements are # |