diff options
| -rw-r--r-- | conf.c | 18 | ||||
| -rw-r--r-- | fetchmail-FAQ.html | 22 | ||||
| -rw-r--r-- | fetchmail.c | 79 | ||||
| -rw-r--r-- | fetchmail.h | 11 | ||||
| -rw-r--r-- | fetchmail.man | 28 | ||||
| -rwxr-xr-x | fetchmailconf | 18 | ||||
| -rw-r--r-- | gssapi.c | 20 | ||||
| -rw-r--r-- | imap.c | 74 | ||||
| -rw-r--r-- | pop3.c | 40 | ||||
| -rw-r--r-- | rcfile_l.l | 1 | ||||
| -rw-r--r-- | rcfile_y.y | 4 |
11 files changed, 162 insertions, 153 deletions
@@ -155,11 +155,11 @@ void dump_config(struct runctl *runp, struct query *querylist) printf("'imap',"); #endif /* IMAP_ENABLE */ #ifdef GSSAPI - printf("'imap-gss',"); + printf("'gssapi',"); #endif /* GSSAPI */ -#if defined(IMAP4) && defined(KERBEROS_V4) - printf("'imap-k4',"); -#endif /* defined(IMAP4) && defined(KERBEROS_V4) */ +#if defined(KERBEROS_V4) + printf("'kerberos',"); +#endif /* defined(IMAP4) */ #ifdef RPA_ENABLE printf("'rpa',"); #endif /* RPA_ENABLE */ @@ -271,14 +271,18 @@ void dump_config(struct runctl *runp, struct query *querylist) numdump("envskip", ctl->server.envskip); stringdump("qvirtual", ctl->server.qvirtual); - if (ctl->server.preauthenticate == A_KERBEROS_V4) + if (ctl->server.preauthenticate == A_ANY) + stringdump("preauth", "any"); + else if (ctl->server.preauthenticate == A_PASSWORD) + stringdump("preauth", "password"); + else if (ctl->server.preauthenticate == A_GSSAPI) + stringdump("preauth", "gssapi"); + else if (ctl->server.preauthenticate == A_KERBEROS_V4) stringdump("preauth", "kerberos_v4"); else if (ctl->server.preauthenticate == A_KERBEROS_V5) stringdump("preauth", "kerberos_v5"); else if (ctl->server.preauthenticate == A_SSH) stringdump("preauth", "ssh"); - else - stringdump("preauth", "password"); #if defined(HAVE_GETHOSTBYNAME) && defined(HAVE_RES_SEARCH) booldump("dns", ctl->server.dns); diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index 84d06ae9..df418399 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -10,7 +10,7 @@ <table width="100%" cellpadding=0><tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a> <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a> -<td width="30%" align=right>$Date: 2001/02/11 23:26:07 $ +<td width="30%" align=right>$Date: 2001/02/12 01:14:27 $ </table> <HR> <H1>Frequently Asked Questions About Fetchmail</H1> @@ -682,6 +682,24 @@ once you have installed the `bind' package.<P> <hr> <h2><a name="F1">F1. Why does my old .fetchmailrc file no longer work?</a></h2> +<h3>If your file predates 5.6.5</h3> + +The <tt>imap-gss</tt>, <tt>imap-k4</tt>, and <tt>imap-login</tt> +protocol types are gone. This is a result of a major re-factoring +of the authentication machinery; fetchmail can now use Kerberos V4 +and GSSAPI not just with IMAP but with POP3 servers that have RFC1734 +support for the AUTH command.<p> + +When trying to identify you to an IMAP or POP mailserver, fetchmail +now first tries methods that don't require a password (GSSAPI, +KERBEROS_IV); then it looks for methods that mask your password +(CRAM-MD5, X-OTP); and only if it the server doesn't support any of +those will it ship your password en clair.<p> + +Setting the <tt>preauth</tt> option to any value other than `password' +will prevent from looking for a password in your <tt>.netrc</tt> file +or querying for it at startup time.<p> + <h3>If your file predates 5.1.0</h3> In 5.1.0, the <tt>auth</tt> keyword and option were changed to @@ -2963,7 +2981,7 @@ switching to IMAP and using a short expunge interval.<p> <table width="100%" cellpadding=0><tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a> <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a> -<td width="30%" align=right>$Date: 2001/02/11 23:26:07 $ +<td width="30%" align=right>$Date: 2001/02/12 01:14:27 $ </table> <P><ADDRESS>Eric S. Raymond <A HREF="mailto:esr@thyrsus.com"><esr@snark.thyrsus.com></A></ADDRESS> diff --git a/fetchmail.c b/fetchmail.c index 9e42335a..b7510513 100644 --- a/fetchmail.c +++ b/fetchmail.c @@ -323,7 +323,7 @@ int main(int argc, char **argv) { if (ctl->active && !(implicitmode && ctl->server.skip)&&!ctl->password) { - if (ctl->server.preauthenticate != A_PASSWORD) + if (ctl->server.preauthenticate > A_PASSWORD) /* Server won't care what the password is, but there must be some non-null string here. */ ctl->password = ctl->remotename; @@ -493,7 +493,7 @@ int main(int argc, char **argv) for (ctl = querylist; ctl; ctl = ctl->next) { if (ctl->active && !(implicitmode && ctl->server.skip) - && ctl->server.preauthenticate == A_PASSWORD + && ctl->server.preauthenticate <= A_PASSWORD && !ctl->password) { if (!isatty(0)) @@ -1102,12 +1102,9 @@ static int load_params(int argc, char **argv, int optind) * * If we're using Kerberos for authentication, we need * the FQDN in order to generate capability keys. */ - if (ctl->server.protocol == P_ETRN -#ifdef ODMR_ENABLE - || ctl->server.protocol == P_ODMR -#endif /* ODMR_ENABLE */ - || ctl->server.preauthenticate == A_KERBEROS_V4 - || ctl->server.preauthenticate == A_KERBEROS_V5) + if (ctl->server.protocol==P_ETRN || ctl->server.protocol==P_ODMR + || ctl->server.preauthenticate == A_KERBEROS_V4 + || ctl->server.preauthenticate == A_KERBEROS_V5) if (strcmp(fetchmailhost, "localhost") == 0) fetchmailhost = host_fqdn(); @@ -1563,32 +1560,22 @@ static void dump_params (struct runctl *runp, if (ctl->server.skip || outlevel >= O_VERBOSE) printf(_(" This host %s be queried when no host is specified.\n"), ctl->server.skip ? _("will not") : _("will")); - /* - * Don't poll for password when there is one or when using the ETRN - * or GSSAPI or KERBEROS protocol - */ - /* ETRN, IMAP_GSS, and IMAP_K4 do not need a password, so skip this */ - if ( (ctl->server.protocol != P_ETRN) -#ifdef GSSAPI - && (ctl->server.preauthenticate != A_GSSAPI) -#endif /* GSSAPI */ - && (ctl->server.preauthenticate != A_KERBEROS_V4) - && (ctl->server.preauthenticate != A_KERBEROS_V5)) + if (ctl->server.preauthenticate <= A_PASSWORD) { - if (!ctl->password) - printf(_(" Password will be prompted for.\n")); - else if (outlevel >= O_VERBOSE) - { - if (ctl->server.protocol == P_APOP) - printf(_(" APOP secret = \"%s\".\n"), - visbuf(ctl->password)); - else if (ctl->server.protocol == P_RPOP) - printf(_(" RPOP id = \"%s\".\n"), - visbuf(ctl->password)); - else - printf(_(" Password = \"%s\".\n"), + if (!ctl->password) + printf(_(" Password will be prompted for.\n")); + else if (outlevel >= O_VERBOSE) + { + if (ctl->server.protocol == P_APOP) + printf(_(" APOP secret = \"%s\".\n"), + visbuf(ctl->password)); + else if (ctl->server.protocol == P_RPOP) + printf(_(" RPOP id = \"%s\".\n"), + visbuf(ctl->password)); + else + printf(_(" Password = \"%s\".\n"), visbuf(ctl->password)); - } + } } if (ctl->server.protocol == P_POP3 @@ -1618,15 +1605,29 @@ static void dump_params (struct runctl *runp, printf(_(" (forcing UIDL use)")); putchar('.'); putchar('\n'); - if (ctl->server.preauthenticate == A_KERBEROS_V4) - printf(_(" Kerberos V4 preauthentication enabled.\n")); - else if (ctl->server.preauthenticate == A_KERBEROS_V5) - printf(_(" Kerberos V5 preauthentication enabled.\n")); - else if (ctl->server.preauthenticate == A_SSH) + switch (ctl->server.preauthenticate) + { + case A_ANY: + printf(_(" All authentication methods will be described.\n")); + break; + case A_PASSWORD: + printf(_(" Password authentication will be forced.\n")); + break; + case A_GSSAPI: + printf(_(" GSSAPI preauthentication will be forced.\n")); + break; + case A_KERBEROS_V4: + printf(_(" Kerberos V4 preauthentication will be forced.\n")); + break; + case A_KERBEROS_V5: + printf(_(" Kerberos V5 preauthentication will be forced.\n")); + break; + case A_SSH: printf(_(" End-to-end encryption assumed.\n")); - if (ctl->server.principal != (char *) NULL) { - printf(_(" Mail service principal is: %s\n"), ctl->server.principal); + break; } + if (ctl->server.principal != (char *) NULL) + printf(_(" Mail service principal is: %s\n"), ctl->server.principal); #ifdef SSL_ENABLE if (ctl->use_ssl) printf(" SSL encrypted sessions enabled.\n"); diff --git a/fetchmail.h b/fetchmail.h index dbc386d4..b1b37d05 100644 --- a/fetchmail.h +++ b/fetchmail.h @@ -29,11 +29,12 @@ #endif /* preauthentication types */ -#define A_PASSWORD 0 /* password or inline authentication */ -#define A_KERBEROS_V4 1 /* preauthenticate w/ Kerberos V4 */ -#define A_KERBEROS_V5 2 /* preauthenticate w/ Kerberos V5 */ -#define A_GSSAPI 3 /* preauthenticate with GSSAPI */ -#define A_SSH 4 /* preauthentication at session level */ +#define A_ANY 0 /* use the first method that works */ +#define A_PASSWORD 1 /* password or inline authentication */ +#define A_KERBEROS_V4 2 /* preauthenticate w/ Kerberos V4 */ +#define A_KERBEROS_V5 3 /* preauthenticate w/ Kerberos V5 */ +#define A_GSSAPI 4 /* preauthenticate with GSSAPI */ +#define A_SSH 5 /* preauthentication at session level */ /* * Definitions for buffer sizes. We get little help on setting maxima diff --git a/fetchmail.man b/fetchmail.man index db1444aa..26e940bb 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -499,20 +499,22 @@ when interface data is being collected. .TP .B --preauth <type> (Keyword: preauth[enticate]) -This option permits you to specify a preauthentication type (see USER -AUTHENTICATION below for details). The possible values are +This option permits you to specify an authentication type (see USER +AUTHENTICATION below for details). The possible values are \fBany\fR, \&`\fBpassword\fR', `\fBkerberos_v5\fR' and `\fBkerberos\fR' (or, for excruciating exactness, `\fBkerberos_v4\fR'), \fRgssapi\fR, and -\fBssh\fR. Any value other than "password" suppresses fetchmail's -normal inquiry for a password. Specify \fBssh\fR when you are using -an end-to-end secure connection such as an ssh tunnel; specify -\fRgssapi\fR or \fBkerberos_v4\fR if you are using a protocol variant -that employs GSSAPI or K4. Other values of this option are provided -primarily for developers; choosing KPOP protocol automatically selects -Kerberos preauthentication, and all other alternatives use password -authentication (though APOP uses a generated one-time key as the -password and IMAP-K4 uses RFC1731 Kerberos v4 authentication). This -option does not work with ETRN or ODMR. +\fBssh\fR. When \fBany\fR (the default) is specified, fetchmail tries +first methods that don't require a password (GSSAPI, KERBEROS_IV); +then it looks for methods that mask your password (CRAM-MD5, X-OTP); +and only if it the server doesn't support any of those will it ship +your password en clair. Other values may be used to force various +authentication methods (\fBssh\fR suppresses authentication). Any +value other than "password" suppresses fetchmail's normal inquiry for +a password. Specify \fBssh\fR when you are using an end-to-end secure +connection such as an ssh tunnel; specify \fRgssapi\fR or +\fBkerberos_v4\fR if you are using a protocol variant that employs +GSSAPI or K4. Choosing KPOP protocol automatically selects Kerberos +preauthentication. This option does not work with ETRN or ODMR. .SS Miscellaneous Options .TP .B \-f <pathname>, --fetchmailrc <pathname> @@ -601,7 +603,7 @@ editor like written in Python. .SH USER AUTHENTICATION AND ENCRYPTION -Every mode except ETRN requires authentication of the client. +All modes except ETRN and ODMR requires authentication of the client. Normal user authentication in .I fetchmail is very much like the authentication mechanism of diff --git a/fetchmailconf b/fetchmailconf index a794ae69..7ef4add8 100755 --- a/fetchmailconf +++ b/fetchmailconf @@ -4,7 +4,7 @@ # by Eric S. Raymond, <esr@snark.thyrsus.com>. # Requires Python with Tkinter, and the following OS-dependent services: # posix, posixpath, socket -version = "1.35" +version = "1.36" from Tkinter import * from Dialog import * @@ -80,7 +80,7 @@ class Server: self.protocol = 'auto' # Default to auto protocol self.port = 0 # Port number to use self.uidl = FALSE # Don't use RFC1725 UIDLs by default - self.preauth = 'password' # Default to password authentication + self.preauth = 'any' # Default to password authentication self.timeout = 300 # 5-minute timeout self.envelope = 'Received' # Envelope-address header self.envskip = 0 # Number of envelope headers to skip @@ -370,12 +370,10 @@ defaultports = {"auto":0, "APOP":110, "KPOP":1109, "IMAP":143, - "IMAP-GSS":143, - "IMAP-K4":143, "ETRN":25, "ODMR":366} -preauthlist = ("password", "kerberos", "ssh") +preauthlist = ("any", "password", "gssapi", "kerberos", "ssh") listboxhelp = { 'title' : 'List Selection Help', @@ -1046,10 +1044,6 @@ class ServerEdit(Frame, MyWidget): protolist.append("SDPS") if 'imap' in feature_options: protolist.append("IMAP") - if 'imap-gss' in feature_options: - protolist.append("IMAP-GSS") - if 'imap-k4' in feature_options: - protolist.append("IMAP-K4") if 'etrn' in feature_options: protolist.append("ETRN") if 'odmr' in feature_options: @@ -1104,7 +1098,7 @@ class ServerEdit(Frame, MyWidget): self.server.localdomains, None, None, mdropwin, multihelp) mdropwin.pack(fill=X) - if os_type == 'linux' or os_type == 'freebsd' or 'netsec' in feature_options or 'imap-k4' in feature_options: + if os_type in ('linux', 'freebsd') or 'netsec' in feature_options: secwin = Frame(rightwin, relief=RAISED, bd=5) Label(secwin, text="Security").pack(side=TOP) # Don't actually let users set this. KPOP sets it implicitly @@ -1120,7 +1114,7 @@ class ServerEdit(Frame, MyWidget): LabeledEntry(secwin, 'IPV6 security options:', self.netsec, leftwidth).pack(side=TOP, fill=X) # Someday this should handle Kerberos 5 too - if 'imap-k4' in feature_options: + if 'kerberos' in feature_options: LabeledEntry(secwin, 'Principal:', self.principal, '12').pack(side=TOP, fill=X) Button(secwin, text='Help', fg='blue', @@ -1602,7 +1596,7 @@ class UserEdit(Frame, MyWidget): variable=self.idle).pack(side=TOP, anchor=W) limwin.pack(fill=X) - if self.parent.server.protocol in ('IMAP', 'IMAP-K4', 'IMAP-GSS'): + if self.parent.server.protocol == 'IMAP': foldwin = Frame(rightwin, relief=RAISED, bd=5) Label(foldwin, text="Remote folders (IMAP only)").pack(side=TOP) ListEdit("New folder:", self.user.mailboxes, @@ -106,10 +106,11 @@ int do_gssauth(int sock, char *command, char *hostname, char *username) } to64frombits(buf1, send_token.value, send_token.length); gss_release_buffer(&min_stat, &send_token); - strcat(buf1, "\r\n"); - SockWrite(sock, buf1, strlen(buf1)); - if (outlevel >= O_MONITOR) - report(stdout, "IMAP> %s\n", buf1); + + suppress_tags = TRUE; + gen_send(sock, buf1, strlen(buf1)); + suppress_tags = FALSE; + if (maj_stat == GSS_S_CONTINUE_NEEDED) { if (result = gen_recv(sock, buf1, sizeof buf1)) { gss_release_name(&min_stat, &target_name); @@ -119,18 +120,19 @@ int do_gssauth(int sock, char *command, char *hostname, char *username) request_buf.value = buf2; sec_token = &request_buf; } - } while (maj_stat == GSS_S_CONTINUE_NEEDED); + } while + (maj_stat == GSS_S_CONTINUE_NEEDED); gss_release_name(&min_stat, &target_name); /* get security flags and buffer size */ - if (result = gen_recv(sock, buf1, sizeof buf1)) { + if (result = gen_recv(sock, buf1, sizeof buf1)) return result; - } + request_buf.length = from64tobits(buf2, buf1 + 2); request_buf.value = buf2; - maj_stat = gss_unwrap(&min_stat, context, &request_buf, &send_token, - &cflags, &quality); + maj_stat = gss_unwrap(&min_stat, context, + &request_buf, &send_token, &cflags, &quality); if (maj_stat != GSS_S_COMPLETE) { report(stderr, _("Couldn't unwrap security level data\n")); gss_release_buffer(&min_stat, &send_token); @@ -277,46 +277,26 @@ int imap_getauth(int sock, struct query *ctl, char *greeting) } /* - * OK, now try the protocol variants that don't require passwords first. + * Time to authenticate the user. + * Try the protocol variants that don't require passwords first. */ #ifdef GSSAPI - if (strstr(capabilities, "AUTH=GSSAPI")) - { - if (ctl->server.preauthenticate == A_GSSAPI) - { - if (outlevel >= O_DEBUG) - report(stdout, _("GSS authentication is supported\n")); - return do_gssauth(sock, ctl->server.truename, ctl->remotename); - } - } - else if (ctl->server.preauthenticate == P_IMAP_GSS) - { - report(stderr, - _("Required GSS capability not supported by server\n")); - return(PS_AUTHFAIL); - } + if ((ctl->server.preauthenticate == A_ANY + || ctl->server.preauthenticate==A_GSSAPI) + && strstr(capabilities, "AUTH=GSSAPI")) + return(do_gssauth(sock, ctl->server.truename, ctl->remotename)); #endif /* GSSAPI */ #ifdef KERBEROS_V4 - if (strstr(capabilities, "AUTH=KERBEROS_V4")) - { - if (outlevel >= O_DEBUG) - report(stdout, _("KERBEROS_V4 authentication is supported\n")); - - if (ctl->server.preauthenticate == A_KERBEROS_V4) - { - if ((ok = do_rfc1731(sock, "AUTHENTICATE", ctl->server.truename))) - /* SASL cancellation of authentication */ - gen_send(sock, "*"); - return(ok); - } - /* else fall through to ordinary AUTH=LOGIN case */ - } - else if (ctl->server.preauthenticate == A_KERBEROS_V4) + if ((ctl->server.preauthenticate == A_ANY + || ctl->server.preauthenticate==A_KERBEROS_V4 + || ctl->server.preauthenticate==A_KERBEROS_V5) + && strstr(capabilities, "AUTH=KERBEROS_V4")) { - report(stderr, - _("Required KERBEROS_V4 capability not supported by server\n")); - return(PS_AUTHFAIL); + if ((ok = do_rfc1731(sock, "AUTHENTICATE", ctl->server.truename))) + /* SASL cancellation of authentication */ + gen_send(sock, "*"); + return(ok); } #endif /* KERBEROS_V4 */ @@ -327,8 +307,6 @@ int imap_getauth(int sock, struct query *ctl, char *greeting) if (strstr(capabilities, "AUTH=CRAM-MD5")) { - if (outlevel >= O_DEBUG) - report(stdout, _("CRAM-MD5 authentication is supported\n")); if ((ok = do_cram_md5 (sock, "AUTHENTICATE", ctl))) /* SASL cancellation of authentication */ gen_send(sock, "*"); @@ -337,30 +315,22 @@ int imap_getauth(int sock, struct query *ctl, char *greeting) #if OPIE_ENABLE if (strstr(capabilities, "AUTH=X-OTP")) - { - if (outlevel >= O_DEBUG) - report(stdout, _("OTP authentication is supported\n")); - if (do_otp(sock, ctl) == PS_SUCCESS) - return(PS_SUCCESS); - }; + return(do_otp(sock, ctl); #endif /* OPIE_ENABLE */ #ifdef NTLM_ENABLE if (strstr (capabilities, "AUTH=NTLM")) - { - if (outlevel >= O_DEBUG) - report (stdout, _("NTLM authentication is supported\n")); - return do_imap_ntlm (sock, ctl); - } + return(do_imap_ntlm (sock, ctl)); #endif /* NTLM_ENABLE */ #ifdef __UNUSED__ /* The Cyrus IMAP4rev1 server chokes on this */ /* this handles either AUTH=LOGIN or AUTH-LOGIN */ - if ((imap_version >= IMAP4rev1) && (!strstr(capabilities, "LOGIN"))) { - report(stderr, - _("Required LOGIN capability not supported by server\n")); - return PS_AUTHFAIL; - }; + if ((imap_version >= IMAP4rev1) && (!strstr(capabilities, "LOGIN"))) + { + report(stderr, + _("Required LOGIN capability not supported by server\n")); + return PS_AUTHFAIL; + } #endif /* __UNUSED__ */ /* we're stuck with sending the password en clair */ @@ -211,40 +211,54 @@ int pop3_getauth(int sock, struct query *ctl, char *greeting) if (strchr(greeting, '<') && gen_transact(sock, "AUTH") == 0) { char buffer[10]; - flag has_cram = FALSE; -#if defined(KERBEROS_IV) +#if defined(GSSAPI) + flag has_gssapi = FALSE; +#endif /* defined(GSSAPI) */ +#if defined(KERBEROS_V4) || defined(KERBEROS_V5) flag has_kerberos = FALSE; -#endif /* defined(KERBEROS_IV) */ +#endif /* defined(KERBEROS_V4) || defined(KERBEROS_V5) */ + flag has_cram = FALSE; #ifdef OPIE_ENABLE flag has_opie = FALSE; #endif /* OPIE_ENABLE */ + /* determine what authentication methods we have available */ while ((ok = gen_recv(sock, buffer, sizeof(buffer))) == 0) { if (DOTLINE(buffer)) break; - if (strncasecmp(buffer, "CRAM-MD5", 8) == 0) - has_cram = TRUE; -#if defined(KERBEROS_IV) +#if defined(GSSAPI) + if (strncasecmp(buffer, "GSSAPI", 8) == 0) + has_gssapi = TRUE; +#endif /* defined(GSSAPI) */ +#if defined(KERBEROS_V4) || defined(KERBEROS_V5) if (strncasecmp(buffer, "KERBEROS_V4", 8) == 0) has_kerberos = TRUE; -#endif /* defined(KERBEROS_IV) */ +#endif /* defined(KERBEROS_V4) || defined(KERBEROS_V5) */ + if (strncasecmp(buffer, "CRAM-MD5", 8) == 0) + has_cram = TRUE; #ifdef OPIE_ENABLE if (strncasecmp(buffer, "X-OTP", 8) == 0) has_opie = TRUE; #endif /* OPIE_ENABLE */ } -#if defined(KERBEROS_IV) + +#if defined(GSSAPI) + if (has_kerberos) + return(do_gssauth(sock, "AUTH", + ctl->server.truename, ctl->remotename)); +#endif /* defined(GSSAPI) */ +#if defined(KERBEROS_V4) || defined(KERBEROS_V5) if (has_kerberos) return(do_rfc1731(sock, "AUTH", ctl->server.truename)); -#endif /* defined(KERBEROS_IV) */ +#endif /* defined(KERBEROS_V4) || defined(KERBEROS_V5) */ + if (has_cram) + return(do_cram_md5(sock, "AUTH", ctl)); #ifdef OPIE_ENABLE if (has_opie) - do_otp(sock, ctl) + do_otp(sock, "AUTH", ctl) #endif /* OPIE_ENABLE */ - if (has_cram) - return(do_cram_md5(sock, "AUTH", ctl)); - } + } /* ordinary validation, no one-time password or RPA */ ok = gen_transact(sock, "PASS %s", ctl->password); @@ -83,6 +83,7 @@ service { return SERVICE; } port { return PORT; } interval { return INTERVAL; } preauth(enticate)? { SETSTATE(PREAUTH); return PREAUTHENTICATE; } +any { SETSTATE(0); return ANY; } gssapi { SETSTATE(0); return GSSAPI; } kerberos(_v)?4 { SETSTATE(0); return KERBEROS4; } kerberos(_v)?5 { SETSTATE(0); return KERBEROS5; } @@ -58,7 +58,7 @@ extern char * yytext; char *sval; } -%token DEFAULTS POLL SKIP VIA AKA LOCALDOMAINS PROTOCOL +%token DEFAULTS POLL SKIP VIA AKA LOCALDOMAINS PROTOCOL ANY %token PREAUTHENTICATE TIMEOUT KPOP SDPS KERBEROS4 KERBEROS5 KERBEROS GSSAPI %token SSH ENVELOPE QVIRTUAL USERNAME PASSWORD FOLDER SMTPHOST MDA BSMTP LMTP %token SMTPADDRESS SMTPNAME SPAMRESPONSE PRECONNECT POSTCONNECT LIMIT WARNINGS @@ -181,7 +181,9 @@ serv_option : AKA alias_list #endif /* INET6_ENABLE */ } | INTERVAL NUMBER {current.server.interval = $2;} + | PREAUTHENTICATE ANY {current.server.preauthenticate = A_ANY;} | PREAUTHENTICATE PASSWORD {current.server.preauthenticate = A_PASSWORD;} + | PREAUTHENTICATE GSSAPI {current.server.preauthenticate = A_GSSAPI;} | PREAUTHENTICATE KERBEROS4 {current.server.preauthenticate = A_KERBEROS_V4;} | PREAUTHENTICATE KERBEROS5 {current.server.preauthenticate = A_KERBEROS_V5;} | PREAUTHENTICATE KERBEROS { |