aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--INSTALL8
-rw-r--r--NEWS6
-rw-r--r--configure.in25
-rw-r--r--driver.c89
-rw-r--r--fetchmail-features.html6
-rw-r--r--fetchmail.c14
-rw-r--r--fetchmail.h1
-rw-r--r--fetchmail.man14
-rw-r--r--options.c10
-rw-r--r--rcfile_l.l3
-rw-r--r--rcfile_y.y14
-rw-r--r--sample.rcfile1
12 files changed, 169 insertions, 22 deletions
diff --git a/INSTALL b/INSTALL
index 3fa58e6d..3e4c1530 100644
--- a/INSTALL
+++ b/INSTALL
@@ -70,10 +70,10 @@ will do that.
Advanced configuration:
-Specifying --with-kerberos=DIR will tell the fetchmail build process to
-look in DIR for Kerberos support. Configure normally looks in /usr/kerberos
-and /usr/athena; if you specify this option with an argument it will look
-in DIR first.
+Specifying --with-kerberos=DIR or --with-kerberos5=DIR will tell the
+fetchmail build process to look in DIR for Kerberos support.
+Configure normally looks in /usr/kerberos and /usr/athena; if you
+specify this option with an argument it will look in DIR first.
Unfortunately, there doesn't seem to be good standardization of where
Kerberos lives. If your configuration doesn't match one of the four
diff --git a/NEWS b/NEWS
index 42978eb3..fbebfaf5 100644
--- a/NEWS
+++ b/NEWS
@@ -11,10 +11,6 @@
* Make the antispam response configurable.
* Handle multi-homed hosts correctly.
- Other TO-DO items:
-
-* Get with Craig Metz to write a draft RFC on RFC1938 support in IMAP.
-
Release Notes:
------------------------------------------------------------------------------
@@ -22,6 +18,8 @@ fetchmail-4.4.0 ():
* Relax the LOGIN capability check in IMAP.
* John Stracke <francis@netscape.com> sent a workaround for SIGALRM flakiness
under Red Hat 5.0.
+* Kerberos V support from Jon Dugan <jdugan@ncsa.uiuc.edu> and
+ Von Welch <vwelch@ncsa.uiuc.edu>.
There are 269 people on fetchmail-friends and 144 on fetchmail-announce.
diff --git a/configure.in b/configure.in
index 8fd6d8e7..b9354b94 100644
--- a/configure.in
+++ b/configure.in
@@ -265,6 +265,31 @@ else
done
fi
+### use option --with-kerberos5=DIR to point at a Kerberos 5 directory
+AC_ARG_WITH(kerberos5,
+ [ --with-kerberos5=DIR point fetchmail compilation at a Kerberos 5 directory])
+
+# The "then" arm (nonempty $with_kerberos5) is kind of a crock. It works for
+# configuring the BSD/OS Kerberos IV support, though.
+if test "$with_kerberos5" != "yes"
+then
+ # Path given
+ CEFLAGS="$CEFLAGS -DKERBEROS_V5 -I$with_kerberos5/include"
+ LDEFLAGS="$LDEFLAGS -L$with_kerberos5/lib"
+ LIBS="$LIBS -lkrb5 -lcrypto -lcom_err"
+else
+ for dir in /usr/kerberos /usr/local/krb5 /usr/athena
+ do
+ if test -f "$dir/include/krb5.h"
+ then
+ CEFLAGS="$CEFLAGS -DKERBEROS_V5 -I$dir/include"
+ LDEFLAGS="$LDEFLAGS -L$dir/lib"
+ LIBS="$LIBS -lkrb5 -lcrypto -lcom_err"
+ break
+ fi
+ done
+fi
+
AC_OUTPUT(Makefile, [
# The reason for this odd makedepend line is that we want
# to have all dependencies evaluated relative to the source directory
diff --git a/driver.c b/driver.c
index 07732a87..e697091c 100644
--- a/driver.c
+++ b/driver.c
@@ -66,6 +66,11 @@
#include <netinet/in.h>
#include <netdb.h>
#endif /* KERBEROS_V4 */
+#ifdef KERBEROS_V5
+#include <krb5.h>
+#include <com_err.h>
+#endif /* KEREROS_V5 */
+
#include "fetchmail.h"
#include "socket.h"
#include "smtp.h"
@@ -1593,6 +1598,72 @@ const char *canonical; /* server name */
}
#endif /* KERBEROS_V4 */
+#ifdef KERBEROS_V5
+int
+kerberos5_auth(socket, canonical)
+/* authernticate to the server host using Kerberos V5 */
+int socket; /* socket to server host */
+const char *canonical; /* server name */
+{
+ krb5_error_code retval;
+ krb5_context context;
+ krb5_ccache ccdef;
+ krb5_principal client = NULL, server = NULL;
+ krb5_error *err_ret = NULL;
+
+ krb5_auth_context auth_context = NULL;
+
+ krb5_init_context(&context);
+ krb5_init_ets(context);
+ krb5_auth_con_init(context, &auth_context);
+
+ if (retval = krb5_cc_default(context, &ccdef)) {
+ error(0, 0, "krb5_cc_default: %s", error_message(retval));
+ return(PS_ERROR);
+ }
+
+ if (retval = krb5_cc_get_principal(context, ccdef, &client)) {
+ error(0, 0, "krb5_cc_get_principal: %s", error_message(retval));
+ return(PS_ERROR);
+ }
+
+ if (retval = krb5_sname_to_principal(context, canonical, "pop",
+ KRB5_NT_UNKNOWN,
+ &server)) {
+ error(0, 0, "krb5_sname_to_principal: %s", error_message(retval));
+ return(PS_ERROR);
+ }
+
+ retval = krb5_sendauth(context, &auth_context, (krb5_pointer) &socket,
+ "KPOPV1.0", client, server,
+ AP_OPTS_MUTUAL_REQUIRED,
+ NULL, /* no data to checksum */
+ 0, /* no creds, use ccache instead */
+ ccdef,
+ &err_ret, 0,
+
+ NULL); /* don't need reply */
+
+ krb5_free_principal(context, server);
+ krb5_free_principal(context, client);
+ krb5_auth_con_free(context, auth_context);
+
+ if (retval) {
+ if (err_ret && err_ret->text.length) {
+ error(0, 0, "krb5_sendauth: %s [server says '%*s'] ",
+ error_message(retval),
+ err_ret->text.length,
+ err_ret->text.data);
+ krb5_free_error(context, err_ret);
+ } else
+ error(0, 0, "krb5_sendauth: %s", error_message(retval));
+ return(PS_ERROR);
+ }
+
+ return 0;
+}
+#endif /* KERBEROS_V5 */
+
int do_protocol(ctl, proto)
/* retrieve messages from server using given protocol method table */
struct query *ctl; /* parsed options with merged-in defaults */
@@ -1610,6 +1681,14 @@ const struct method *proto; /* protocol method table */
}
#endif /* KERBEROS_V4 */
+#ifndef KERBEROS_V5
+ if (ctl->server.preauthenticate == A_KERBEROS_V5)
+ {
+ error(0, -1, "Kerberos V5 support not linked.");
+ return(PS_ERROR);
+ }
+#endif /* KERBEROS_V5 */
+
/* lacking methods, there are some options that may fail */
if (!proto->is_old)
{
@@ -1738,6 +1817,16 @@ const struct method *proto; /* protocol method table */
}
#endif /* KERBEROS_V4 */
+#ifdef KERBEROS_V5
+ if (ctl->server.preauthenticate == A_KERBEROS_V5)
+ {
+ ok = kerberos5_auth(sock, ctl->server.truename);
+ if (ok != 0)
+ goto cleanUp;
+ set_timeout(ctl->server.timeout);
+ }
+#endif /* KERBEROS_V5 */
+
/* accept greeting message from mail server */
ok = (protocol->parse_response)(sock, buf);
if (ok != 0)
diff --git a/fetchmail-features.html b/fetchmail-features.html
index 295f1e36..42cbcf87 100644
--- a/fetchmail-features.html
+++ b/fetchmail-features.html
@@ -10,7 +10,7 @@
<table width="100%" cellpadding=0><tr>
<td width="30%">Back to <a href="index.html">Fetchmail Home Page</a>
<td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a>
-<td width="30%" align=right>$Date: 1998/02/24 20:55:14 $
+<td width="30%" align=right>$Date: 1998/03/03 21:22:31 $
</table>
<HR>
@@ -21,6 +21,8 @@ are listed first. <P>
<H2>Since 4.0:</H2>
<UL>
+<LI> Support for Kerberos V authentication.
+
<LI> Support for IMAP-OTP authentication using Craig Metz's patches
for UW IMAP.
@@ -139,7 +141,7 @@ get-mail, gwpop, pimp-1.0, pop-perl5-1.2, popc, popmail-1.6 and upop.<P>
<table width="100%" cellpadding=0><tr>
<td width="30%">Back to <a href="index.html">Fetchmail Home Page</a>
<td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a>
-<td width="30%" align=right>$Date: 1998/02/24 20:55:14 $
+<td width="30%" align=right>$Date: 1998/03/03 21:22:31 $
</table>
<P><ADDRESS>Eric S. Raymond <A HREF="mailto:esr@thyrsus.com">&lt;esr@snark.thyrsus.com&gt;</A></ADDRESS>
diff --git a/fetchmail.c b/fetchmail.c
index 629a95af..7c4be484 100644
--- a/fetchmail.c
+++ b/fetchmail.c
@@ -325,7 +325,10 @@ int main (int argc, char **argv)
for (ctl = querylist; ctl; ctl = ctl->next)
if (ctl->active && !(implicitmode && ctl->server.skip)&&!ctl->password)
{
- if (ctl->server.preauthenticate == A_KERBEROS_V4 || ctl->server.protocol == P_IMAP_K4 || ctl->server.protocol == P_IMAP_GSS)
+ if (ctl->server.preauthenticate == A_KERBEROS_V4 ||
+ ctl->server.preauthenticate == A_KERBEROS_V5 ||
+ ctl->server.protocol == P_IMAP_K4 ||
+ ctl->server.protocol == P_IMAP_GSS)
/* Server won't care what the password is, but there
must be some non-null string here. */
ctl->password = ctl->remotename;
@@ -450,7 +453,9 @@ int main (int argc, char **argv)
* nameserver is still up. The multidrop case
* (especially) needs it.
*/
- if (ctl->server.preauthenticate==A_KERBEROS_V4 || MULTIDROP(ctl))
+ if (ctl->server.preauthenticate==A_KERBEROS_V4 ||
+ ctl->server.preauthenticate==A_KERBEROS_V5 ||
+ MULTIDROP(ctl))
{
struct hostent *namerec;
@@ -997,7 +1002,8 @@ void dump_params (struct query *ctl)
#else /* INET6 */
&& ctl->server.port == KPOP_PORT
#endif /* INET6 */
- && ctl->server.preauthenticate == A_KERBEROS_V4)
+ && (ctl->server.preauthenticate == A_KERBEROS_V4 ||
+ ctl->server.preauthenticate == A_KERBEROS_V5))
printf(" Protocol is KPOP");
else
printf(" Protocol is %s", showproto(ctl->server.protocol));
@@ -1018,6 +1024,8 @@ void dump_params (struct query *ctl)
putchar('\n');
if (ctl->server.preauthenticate == A_KERBEROS_V4)
printf(" Kerberos V4 preauthentication enabled.\n");
+ if (ctl->server.preauthenticate == A_KERBEROS_V5)
+ printf(" Kerberos V5 preauthentication enabled.\n");
if (ctl->server.timeout > 0)
printf(" Server nonresponse timeout is %d seconds", ctl->server.timeout);
if (ctl->server.timeout == CLIENT_TIMEOUT)
diff --git a/fetchmail.h b/fetchmail.h
index 021df036..b7eefb5b 100644
--- a/fetchmail.h
+++ b/fetchmail.h
@@ -22,6 +22,7 @@
/* preauthentication types */
#define A_PASSWORD 0 /* password or inline authentication */
#define A_KERBEROS_V4 1 /* preauthenticate w/ Kerberos V4 */
+#define A_KERBEROS_V5 2 /* preauthenticate w/ Kerberos V5 */
/*
* Definitions for buffer sizes. We get little help on setting maxima
diff --git a/fetchmail.man b/fetchmail.man
index a339dea7..deded9db 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -328,16 +328,16 @@ no other activity has occurred on the link, then the poll will be
skipped. This option is currently only supported under Linux.
.TP
.B \-A, --auth
-(Keyword: auth[enticate])
+(Keyword: auth[enticate])
This option permits you to specify a preauthentication type (see USER
AUTHENTICATION below for details). The possible values are
-\&`\fBpassword\fR' and `\fBkerberos\fR' (or, for excruciating
-exactness, `\fBkerberos_v4\fR'). This option is provided
+\&`\fBpassword\fR', `\fBkerberos_v5\fR' and `\fBkerberos\fR' (or, for
+excruciating exactness, `\fBkerberos_v4\fR'). This option is provided
primarily for developers; choosing KPOP protocol automatically selects
-Kerberos preauthentication, and all other alternatives use
-password authentication (though APOP uses a generated one-time
-key as the password and IMAP-K4 uses RFC1731 Kerberos v4 authentication).
-This option does not work with ETRN.
+Kerberos preauthentication, and all other alternatives use password
+authentication (though APOP uses a generated one-time key as the
+password and IMAP-K4 uses RFC1731 Kerberos v4 authentication). This
+option does not work with ETRN.
.SS Miscellaneous Options
.TP
.B \-f pathname, --fetchmailrc pathname
diff --git a/options.c b/options.c
index 9849299f..b16d0041 100644
--- a/options.c
+++ b/options.c
@@ -211,7 +211,11 @@ struct query *ctl; /* option record to be initialized */
#else /* INET6 */
ctl->server.port = KPOP_PORT;
#endif /* INET6 */
+#ifdef KERBEROS_V5
+ ctl->server.preauthenticate = A_KERBEROS_V5;
+#else
ctl->server.preauthenticate = A_KERBEROS_V4;
+#endif /* KERBEROS_V5 */
}
else if (strcasecmp(optarg,"imap") == 0)
ctl->server.protocol = P_IMAP;
@@ -243,9 +247,15 @@ struct query *ctl; /* option record to be initialized */
if (strcmp(optarg, "password") == 0)
ctl->server.preauthenticate = A_PASSWORD;
else if (strcmp(optarg, "kerberos") == 0)
+#ifdef KERBEROS_V5
+ ctl->server.preauthenticate = A_KERBEROS_V5;
+ else if (strcmp(optarg, "kerberos_v5") == 0)
+ ctl->server.preauthenticate = A_KERBEROS_V5;
+#else
ctl->server.preauthenticate = A_KERBEROS_V4;
else if (strcmp(optarg, "kerberos_v4") == 0)
ctl->server.preauthenticate = A_KERBEROS_V4;
+#endif /* KERBEROS_V5 */
else {
fprintf(stderr,"Invalid preauthentication `%s' specified.\n", optarg);
errflag++;
diff --git a/rcfile_l.l b/rcfile_l.l
index 4d19be59..c55f7180 100644
--- a/rcfile_l.l
+++ b/rcfile_l.l
@@ -40,7 +40,8 @@ port { return PORT; }
interval { return INTERVAL; }
auth(enticate)? { return AUTHENTICATE; }
kerberos_v4 { return KERBEROS4; }
-kerberos { return KERBEROS4; }
+kerberos { return KERBEROS; }
+kerberos_v5 { return KERBEROS5; }
timeout { return TIMEOUT;}
envelope { return ENVELOPE; }
qvirtual { return QVIRTUAL; }
diff --git a/rcfile_y.y b/rcfile_y.y
index cb63fbf1..110e8081 100644
--- a/rcfile_y.y
+++ b/rcfile_y.y
@@ -62,7 +62,7 @@ extern char * yytext;
}
%token DEFAULTS POLL SKIP VIA AKA LOCALDOMAINS PROTOCOL
-%token AUTHENTICATE TIMEOUT KPOP KERBEROS4
+%token AUTHENTICATE TIMEOUT KPOP KERBEROS4 KERBEROS5 KERBEROS
%token ENVELOPE QVIRTUAL USERNAME PASSWORD FOLDER SMTPHOST MDA SMTPADDRESS
%token PRECONNECT POSTCONNECT LIMIT
%token IS HERE THERE TO MAP WILDCARD
@@ -129,7 +129,11 @@ serv_option : AKA alias_list
| PROTOCOL PROTO {current.server.protocol = $2;}
| PROTOCOL KPOP {
current.server.protocol = P_POP3;
+#ifdef KERBEROS_V5
+ current.server.preauthenticate = A_KERBEROS_V5;
+#else
current.server.preauthenticate = A_KERBEROS_V4;
+#endif /* KERBEROS_V5 */
#if INET6
current.server.service = KPOP_PORT;
#else /* INET6 */
@@ -151,6 +155,14 @@ serv_option : AKA alias_list
| INTERVAL NUMBER {current.server.interval = $2;}
| AUTHENTICATE PASSWORD {current.server.preauthenticate = A_PASSWORD;}
| AUTHENTICATE KERBEROS4 {current.server.preauthenticate = A_KERBEROS_V4;}
+ | AUTHENTICATE KERBEROS5 {current.server.preauthenticate = A_KERBEROS_V5;}
+ | AUTHENTICATE KERBEROS {
+#ifdef KERBEROS_V5
+ current.server.preauthenticate = A_KERBEROS_V5;
+#else
+ current.server.preauthenticate = A_KERBEROS_V4;
+#endif /* KERBEROS_V5 */
+ }
| TIMEOUT NUMBER {current.server.timeout = $2;}
| ENVELOPE NUMBER STRING
diff --git a/sample.rcfile b/sample.rcfile
index 5f284631..facb95c3 100644
--- a/sample.rcfile
+++ b/sample.rcfile
@@ -83,6 +83,7 @@
# Legal authentication types are
# login
# kerberos
+# kerberos_v5
#
# Legal global option statements are
#