Kerberos integration, stage 3.

svn path=/trunk/; revision=283

8 files changed, 113 insertions, 53 deletions

diff --git a/fetchmail.c b/fetchmail.c
index b86878d5..7d9073c8 100644
--- a/fetchmail.c
+++ b/fetchmail.c
@@ -310,8 +310,8 @@ char **argv;
     for (hostp = hostlist; hostp; hostp = hostp->next)
 	if (hostp->active && !(implicitmode && hostp->skip) && !hostp->password[0])
 	{
-	    if (hostp->protocol == P_KPOP)
-	      /* Server doesn't care what the password is, but there
+	    if (hostp->authenticate == A_KERBEROS)
+	      /* Server won't care what the password is, but there
 		 must be some non-null string here.  */
 	      (void) strncpy(hostp->password, 
 			     hostp->remotename, PASSWORDLEN-1);
@@ -395,7 +395,6 @@ int proto;
     case P_POP3: return("POP3"); break;
     case P_IMAP: return("IMAP"); break;
     case P_APOP: return("APOP"); break;
-    case P_KPOP: return("KPOP"); break;
     default: return("unknown?!?"); break;
     }
 }
@@ -435,7 +434,6 @@ struct hostrec *queryctl;
 	break;
     case P_POP3:
     case P_APOP:
-    case P_KPOP:
 	return(doPOP3(queryctl));
 	break;
     case P_IMAP:
@@ -488,7 +486,10 @@ struct hostrec *queryctl;
 	    printf("  APOP secret = '%s'\n", queryctl->password);
         else
 	    printf("  Password = '%s'\n", queryctl->password);
-    printf("  Protocol is %s", showproto(queryctl->protocol));
+    if (queryctl->protocol == P_POP3 && queryctl->port == KPOP_PORT)
+	printf("  Protocol is KPOP");
+    else
+	printf("  Protocol is %s", showproto(queryctl->protocol));
     if (queryctl->port)
 	printf(" (using port %d)", queryctl->port);
     else if (outlevel == O_VERBOSE)
diff --git a/fetchmail.h b/fetchmail.h
index d2bfc6d1..a5dcb39c 100644
--- a/fetchmail.h
+++ b/fetchmail.h
@@ -12,12 +12,17 @@
  ***********************************************************************/
 
 /* constants designating the various supported protocols */
-#define		P_AUTO	0
-#define		P_POP2	2
-#define		P_POP3	3
-#define		P_IMAP	4
-#define		P_APOP	5
-#define		P_KPOP	6
+#define		P_AUTO		0
+#define		P_POP2		2
+#define		P_POP3		3
+#define		P_IMAP		4
+#define		P_APOP		5
+
+#define		KPOP_PORT	1109
+
+/* authentication types */
+#define		A_PASSWORD	0	/* passwords in cleartext */
+#define		A_KERBEROS	1	/* get Kerberos V4 ticket */
 
 /* definitions for buffer sizes -- somewhat arbitrary */
 #define		POPBUFSIZE	512	/* per RFC 937 */
@@ -62,6 +67,7 @@ struct hostrec
     char mda [MDALEN+1];
     int protocol;
     int port;
+    int authenticate;
 
     /* MDA arguments */
     char *mda_argv[32];
diff --git a/fetchmail.man b/fetchmail.man
index 39ba3594..13a4df11 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -115,7 +115,7 @@ Post Office Protocol 3
 .IP APOP
 Use POP3 with MD5 authentication.
 .IP KPOP
-POP3 with Kerberos authentication.
+Use POP3 with Kerberos authentication on port 1109.
 .RE
 .TP
 .B \-P, --port
@@ -123,6 +123,15 @@ The  option permits you to specify a TCP/IP port to connect on.
 This option will seldom be necessary as all the supported protocols have
 well-established default port numbers.
 .TP
+.B \-A, --auth
+This option permits you to specify an authentication type (see USER
+AUTHENTICATION below for details).  The possible values are
+\&`\fBpassword\ffR and `\fBkerberos\fR'.  This option is provided
+primarily for developers; choosing KPOP protocol automatically selects
+Kerberos authentication, and all other alternatives use ordinary
+password authentication (though APOP uses a generated one-time
+key as the password).
+.TP
 .B \-r folder, --remote folder
 Causes a specified non-default mail folder on the mailserver to be retrieved.
 The syntax of the folder name is server dependent, as is the default
@@ -178,7 +187,7 @@ on the command line, each server in your
 .I ~/.fetchmailrc
 file will be queried.
 .SH USER AUTHENTICATION
-User authentication in 
+Normal user authentication in 
 .I fetchmail
 is very much like the authentication mechanism of 
 .I ftp(1).
@@ -230,6 +239,11 @@ file.  Each time
 logs in, it sends a cryptographically secure hash of your password and
 the server greeting time to the server, which can verify it by
 checking its authorization database. 
+.PP
+If your \fIfetchmail\fR was built with Kerberos support and you specify 
+Kerberos authentication (either with --auth or the \fI.fetchmailrc\fR
+option \fBauthenticate kerberos\fR) it will try to get a Kerberos
+ticket from the mailserver at the start of each query. 
 .SH DAEMON MODE
 The 
 .B --daemon
@@ -339,6 +353,7 @@ Legal server options are:
     port
     skip
     noskip
+    authenticate (or auth)
 
 Legal user options are
 
@@ -387,6 +402,17 @@ Legal protocol identifiers are
     imap (or IMAP)
     apop (or APOP)
     kpop (or APOP)
+
+.PP
+Legal authentication types are `password' or `kerberos'.  The former
+specifies authentication by normal transmission of a password (the
+password may be plaintext or subject to protocol-specific encryption
+as in APOP); the second tells \fIfetchmail\fR to try to get a Kerberos
+ticket at the start of each query instead, and send an arbitrary
+string as the password.
+.PP
+Specifying \fBkpop\fR sets POP3 protocol over port 1109 with Kerberos
+authentication.  These defaults may be overridden by later options.
 .PP
 You can use the `noise' keywords \fBand\fR, \fBwith\fR,
 \fBhas\fR, \fBwants\fR, and \fBoptions\fR anywhere in an entry to make
diff --git a/options.c b/options.c
index 4818e9ff..77e29f16 100644
--- a/options.c
+++ b/options.c
@@ -27,19 +27,20 @@
 #define LA_STDOUT	7
 #define LA_FLUSH        8
 #define LA_PROTOCOL	9
-#define LA_DAEMON	10
-#define LA_RCFILE	11
-#define LA_USERNAME	12
-#define LA_REMOTEFILE	13
-#define LA_PORT		14
-#define LA_SMTPHOST	15
-#define LA_MDA		16
-#define LA_LOGFILE	17
-#define LA_QUIT		18
-#define LA_NOREWRITE	19
-#define LA_CHECK	20
-#define LA_HELP		21
-#define LA_YYDEBUG	22
+#define LA_AUTHENTICATE	10
+#define LA_DAEMON	11
+#define LA_RCFILE	12
+#define LA_USERNAME	13
+#define LA_REMOTEFILE	14
+#define LA_PORT		15
+#define LA_SMTPHOST	16
+#define LA_MDA		17
+#define LA_LOGFILE	18
+#define LA_QUIT		19
+#define LA_NOREWRITE	20
+#define LA_CHECK	21
+#define LA_HELP		22
+#define LA_YYDEBUG	23
 
 static char *shortoptions = "P:p:VaKkvS:m:sFd:f:u:r:L:qN?";
 static struct option longoptions[] = {
@@ -52,6 +53,7 @@ static struct option longoptions[] = {
   {"flush",	no_argument,	   (int *) 0, LA_FLUSH      },
   {"protocol",	required_argument, (int *) 0, LA_PROTOCOL   },
   {"proto",	required_argument, (int *) 0, LA_PROTOCOL   },
+  {"auth",	required_argument, (int *) 0, LA_PROTOCOL   },
   {"daemon",	required_argument, (int *) 0, LA_DAEMON     },
   {"fetchmailrc",required_argument,(int *) 0, LA_RCFILE     },
   {"user",	required_argument, (int *) 0, LA_USERNAME   },
@@ -153,7 +155,11 @@ struct hostrec *queryctl;
         else if (strcasecmp(optarg,"apop") == 0)
           queryctl->protocol = P_APOP;
 	else if (strcasecmp(optarg,"kpop") == 0)
-	    queryctl->protocol = P_KPOP;
+	{
+	    queryctl->protocol = P_POP3;
+	    queryctl->port = KPOP_PORT;
+	    queryctl->authenticate ==  A_KERBEROS;
+	}
         else {
           fprintf(stderr,"Invalid protocol '%s'\n specified.\n", optarg);
           errflag++;
@@ -184,6 +190,17 @@ struct hostrec *queryctl;
       case LA_PORT:
 	queryctl->port = atoi(optarg);
 	break;
+      case 'A':
+      case LA_AUTHENTICATE:
+        if (strcmp(optarg, "password") == 0)
+          queryctl->authenticate = A_PASSWORD;
+        else if (strcmp(optarg, "kerberos") == 0)
+          queryctl->authenticate = A_KERBEROS;
+        else {
+          fprintf(stderr,"Invalid authentication '%s'\n specified.\n", optarg);
+          errflag++;
+        }
+        break;
       case 'S':
       case LA_SMTPHOST:
         if (fflag) 
@@ -224,22 +241,26 @@ struct hostrec *queryctl;
     fputs("usage:  fetchmail [options] [server ...]\n", stderr);
     fputs("  Options are as follows:\n",stderr);
     fputs("  -?, --help        display this option help\n", stderr);
-    fputs("  -p, --protocol    specify pop2, pop3, imap, apop, rpop, kpop\n", stderr);
     fputs("  -V, --version     display version info\n", stderr);
+    fputs("  -v, --verbose     work noisily (diagnostic output)\n", stderr);
+    fputs("  -d, --daemon      run as a daemon once per n seconds\n", stderr);
+    fputs("  -c, --check       check for messages without fetching\n", stderr);
+    fputs("  -L, --logfile     specify logfile name\n", stderr);
+    fputs("  -q, --quit        kill daemon process\n", stderr);
+    fputs("  -f, --fetchmailrc specify alternate run control file\n", stderr);
+
+    fputs("  -p, --protocol    specify pop2, pop3, imap, apop, rpop, kpop\n", stderr);
+    fputs("  -P, --port        TCP/IP service port to connect to\n",stderr);
+    fputs("  -A, --auth        authentication type\n",stderr);
+
+    fputs("  -u, --username    specify users's login on server\n", stderr);
     fputs("  -a, --all         retrieve old and new messages\n", stderr);
     fputs("  -F, --flush       delete old messages from server\n", stderr);
     fputs("  -K, --kill        delete new messages after retrieval\n", stderr);
     fputs("  -k, --keep        save new messages after retrieval\n", stderr);
     fputs("  -S, --smtphost    set SMTP forwarding host\n", stderr);
-    fputs("  -q, --quit        kill daemon process\n", stderr);
     fputs("  -s, --silent      work silently\n", stderr);
-    fputs("  -v, --verbose     work noisily (diagnostic output)\n", stderr);
-    fputs("  -d, --daemon      run as a daemon once per n seconds\n", stderr);
-    fputs("  -f, --fetchmailrc specify alternate run control file\n", stderr);
-    fputs("  -u, --username    specify users's login on server\n", stderr);
     fputs("  -r, --remote      specify remote folder name\n", stderr);
-    fputs("  -L, --logfile     specify logfile name\n", stderr);
-    fputs("  -c, --check       check for messages without retrieving\n", stderr);
     return(-1);
   }
 
diff --git a/pop3.c b/pop3.c
index fc21ec64..2edbb907 100644
--- a/pop3.c
+++ b/pop3.c
@@ -100,13 +100,6 @@ char *greeting;
     }
 
     switch (queryctl->protocol) {
-    case P_KPOP:
-#ifndef KERBEROS_V4
-	strcat (buf, "KPOP support not compiled into this executable.\n");
-	return(PS_ERROR);
-#endif
-	/* fall through */
-
     case P_POP3:
 	if ((gen_transact(socket,"USER %s", queryctl->remotename)) != 0)
 	    return(PS_ERROR);
@@ -221,12 +214,6 @@ struct hostrec *queryctl;
 	fprintf(stderr,"Option --remote is not supported with POP3\n");
 	return(PS_SYNTAX);
     }
-    if (queryctl->protocol == P_KPOP)
-      {
-	struct method kpop_method = pop3;
-	kpop_method.port = 1109;
-	return(do_protocol(queryctl, &kpop_method));
-      }
     return(do_protocol(queryctl, &pop3));
 }
 
diff --git a/rcfile_l.l b/rcfile_l.l
index e22dcb75..9a86d8b4 100644
--- a/rcfile_l.l
+++ b/rcfile_l.l
@@ -27,6 +27,8 @@ defaults 	{ return DEFAULTS; }
 server 		{ return SERVER; }
 proto(col)? 	{ return PROTOCOL; }
 port		{ return PORT; }
+auth(enticate)?	{ return AUTHENTICATE; }
+kerberos	{ return KERBEROS; }
 
 user(name)?	{ return USERNAME; }
 pass(word)?	{ return PASSWORD; }
@@ -60,7 +62,8 @@ options		{/* EMPTY */}
 (pop3)|(POP3)	{ yylval.proto = P_POP3;  return PROTO; }
 (imap)|(IMAP)	{ yylval.proto = P_IMAP;  return PROTO; }
 (apop)|(APOP)   { yylval.proto = P_APOP;  return PROTO; }
-(kpop)|(KPOP)   { yylval.proto = P_KPOP;  return PROTO; }
+(kpop)|(KPOP)	{ return KPOP; }
+
 
 (#.*)?\\?\n	{ prc_lineno++;	}   /* newline is ignored */
 
diff --git a/rcfile_y.y b/rcfile_y.y
index af04e88a..f1197ada 100644
--- a/rcfile_y.y
+++ b/rcfile_y.y
@@ -15,6 +15,7 @@
 
 #include <config.h>
 #include <stdio.h>
+#include "fetchmail.h"
 extern char *rcfile;
 extern int prc_lineno;
 extern int prc_errflag;
@@ -25,13 +26,15 @@ int yydebug;	/* in case we didn't generate with -- debug */
 
 %union {
   int proto;
+  int auth;
   int flag;
   char *sval;
 }
 
-%token DEFAULTS SERVER PROTOCOL 
+%token DEFAULTS SERVER PROTOCOL AUTHENTICATE KPOP KERBEROS
 %token USERNAME PASSWORD FOLDER SMTPHOST MDA IS HERE THERE
 %token <proto> PROTO
+%token <auth>  AUTHTYPE
 %token <sval>  STRING
 %token <flag>  KEEP FLUSH FETCHALL REWRITE PORT SKIP
 
@@ -63,8 +66,15 @@ serverspecs	: /* EMPTY */
 		;
 
 serv_option	: PROTOCOL PROTO	{prc_setproto($2);}
+		| PROTOCOL KPOP		{
+						prc_setproto(P_POP3);
+		    				prc_setauth(A_KERBEROS);
+						prc_setport(KPOP_PORT);
+					}
 		| PORT STRING		{prc_setport($2);}
 		| SKIP			{prc_setskip($1==FLAG_TRUE);}
+		| AUTHENTICATE PASSWORD	{prc_setauth(A_PASSWORD);}
+		| AUTHENTICATE KERBEROS	{prc_setauth(A_KERBEROS);}
 		;
 
 /* the first and only the first user spec may omit the USERNAME part */
diff --git a/sample.rcfile b/sample.rcfile
index 29bdfd90..e2f5663a 100644
--- a/sample.rcfile
+++ b/sample.rcfile
@@ -20,7 +20,10 @@
 #
 # Legal keywords are
 #   server
-#   protocol (or proto)
+#   protocol (or proto) -- nuat be followed by a protocol ID
+#   port
+#   authenticate (or auth) -- must be followed by an authentication type
+#
 #   username (or user)
 #   is
 #   remotefolder (or remote)
@@ -38,7 +41,6 @@
 #   nofetchall
 #   norewrite
 #   noskip
-#   port
 #
 # Legal protocol identifiers are
 #   pop2 (or POP2)
@@ -47,6 +49,10 @@
 #   apop (or APOP)
 #   kpop (or KPOP)
 #
+# Legal authentication types are
+#   login
+#   kerberos
+#
 # Basic format is
 # server SERVERNAME protocol PROTOCOL username NAME password PASSWORD 
 # Example:
@@ -62,7 +68,7 @@ server pop.provider.net proto pop3 user jsmith password secret1
 server pop.provider.net proto pop3 user jsmith password secret1
 server other.provider.net proto pop2 user John.Smith password My^Hat
 
-# Other possibilities (note use of \ to escape newline -- this is all 
+# Other possibilities (note optional use of \ to escape newline -- this is all 
 # one server definition.
 server pop.provider.net 	\
 	proto pop3		\