diff options
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | conf.c | 4 | ||||
-rw-r--r-- | fetchmail.h | 14 | ||||
-rw-r--r-- | fetchmail.man | 28 | ||||
-rw-r--r-- | pop3.c | 89 |
5 files changed, 71 insertions, 66 deletions
@@ -5,6 +5,8 @@ * `preauth' option changed back to `auth' * IMAP code now bails out if the server forces the mailbox read-only. * Fixed a core dump in Dave Zarzycki's new plugin code. +* POP3 latency optimization: only do CAPA and set authentication capabilities + from it once at start of run. fetchmail-5.6.7 (Mon Feb 19 12:31:03 EST 2001), 20082 lines: @@ -275,6 +275,10 @@ void dump_config(struct runctl *runp, struct query *querylist) stringdump("auth", "any"); else if (ctl->server.authenticate == A_PASSWORD) stringdump("auth", "password"); + else if (ctl->server.authenticate == A_OTP) + stringdump("auth", "otp"); + else if (ctl->server.authenticate == A_CRAM_MD5) + stringdump("auth", "cram-md5"); else if (ctl->server.authenticate == A_GSSAPI) stringdump("auth", "gssapi"); else if (ctl->server.authenticate == A_KERBEROS_V4) diff --git a/fetchmail.h b/fetchmail.h index e78e2121..3c7d4b9b 100644 --- a/fetchmail.h +++ b/fetchmail.h @@ -39,14 +39,16 @@ /* authentication types */ #define A_ANY 0 /* use the first method that works */ -#define A_PASSWORD 1 /* password or inline authentication */ -#define A_KERBEROS_V4 2 /* authenticate w/ Kerberos V4 */ -#define A_KERBEROS_V5 3 /* authenticate w/ Kerberos V5 */ -#define A_GSSAPI 4 /* authenticate with GSSAPI */ -#define A_SSH 5 /* authentication at session level */ +#define A_PASSWORD 1 /* password authentication */ +#define A_CRAM_MD5 2 /* CRAM-MD5 shrouding (RFC2195) */ +#define A_OTP 3 /* One-time password (RFC1508) */ +#define A_KERBEROS_V4 4 /* authenticate w/ Kerberos V4 */ +#define A_KERBEROS_V5 5 /* authenticate w/ Kerberos V5 */ +#define A_GSSAPI 6 /* authenticate with GSSAPI */ +#define A_SSH 7 /* authentication at session level */ /* some protocols (KERBEROS, GSSAPI, SSH) don't require a password */ -#define NO_PASSWORD(ctl) ((ctl)->server.authenticate > A_PASSWORD || !MAILBOX_PROTOCOL(ctl)) +#define NO_PASSWORD(ctl) ((ctl)->server.authenticate > A_OTP || !MAILBOX_PROTOCOL(ctl)) /* * Definitions for buffer sizes. We get little help on setting maxima diff --git a/fetchmail.man b/fetchmail.man index 5342b8a5..9de9e9c9 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -502,19 +502,21 @@ when interface data is being collected. This option permits you to specify an authentication type (see USER AUTHENTICATION below for details). The possible values are \fBany\fR, \&`\fBpassword\fR', `\fBkerberos_v5\fR' and `\fBkerberos\fR' (or, for -excruciating exactness, `\fBkerberos_v4\fR'), \fRgssapi\fR, and -\fBssh\fR. When \fBany\fR (the default) is specified, fetchmail tries -first methods that don't require a password (GSSAPI, KERBEROS_IV); -then it looks for methods that mask your password (CRAM-MD5, X-OTP); -and only if it the server doesn't support any of those will it ship -your password en clair. Other values may be used to force various -authentication methods (\fBssh\fR suppresses authentication). Any -value other than "password" suppresses fetchmail's normal inquiry for -a password. Specify \fBssh\fR when you are using an end-to-end secure -connection such as an ssh tunnel; specify \fRgssapi\fR or -\fBkerberos_v4\fR if you are using a protocol variant that employs -GSSAPI or K4. Choosing KPOP protocol automatically selects Kerberos -authentication. This option does not work with ETRN or ODMR. +excruciating exactness, `\fBkerberos_v4\fR'), \fRgssapi\fR, +\fIcram-md5\fR, \fIotp\fR, and \fBssh\fR. When \fBany\fR (the +default) is specified, fetchmail tries first methods that don't +require a password (GSSAPI, KERBEROS_IV); then it looks for methods +that mask your password (CRAM-MD5, X-OTP); and only if the server +doesn't support any of those will it ship your password en clair. +Other values may be used to force various authentication methods +(\fBssh\fR suppresses authentication). Any value other than +\fIpassword\fR, \fIcram-md5\fR or \fIotp\fR suppresses fetchmail's +normal inquiry for a password. Specify \fBssh\fR when you are using +an end-to-end secure connection such as an ssh tunnel; specify +\fRgssapi\fR or \fBkerberos_v4\fR if you are using a protocol variant +that employs GSSAPI or K4. Choosing KPOP protocol automatically +selects Kerberos authentication. This option does not work with ETRN +or ODMR. .SS Miscellaneous Options .TP .B \-f <pathname>, --fetchmailrc <pathname> @@ -167,35 +167,12 @@ int pop3_getauth(int sock, struct query *ctl, char *greeting) } #endif /* RPA_ENABLE */ -#if OPIE_ENABLE - /* see RFC1938: A One-Time Password System */ - if (challenge = strstr(lastok, "otp-")) { - char response[OPIE_RESPONSE_MAX+1]; - int i; - - i = opiegenerator(challenge, !strcmp(ctl->password, "opie") ? "" : ctl->password, response); - if ((i == -2) && !run.poll_interval) { - char secret[OPIE_SECRET_MAX+1]; - fprintf(stderr, _("Secret pass phrase: ")); - if (opiereadpass(secret, sizeof(secret), 0)) - i = opiegenerator(challenge, secret, response); - memset(secret, 0, sizeof(secret)); - }; - - if (i) { - ok = PS_ERROR; - break; - }; - - ok = gen_transact(sock, "PASS %s", response); - break; - } -#endif /* OPIE_ENABLE */ - /* - * CAPA command may return a list of available mechanisms. - * if it doesn't, no harm done, we just fall back to a - * plain login. + * CAPA command may return a list including available + * authentication mechanisms. if it doesn't, no harm done, we + * just fall back to a plain login. Note that this code + * latches the server's authentication type, so that in daemon mode + * the CAPA check only needs to be done once at start of run. * * APOP was introduced in RFC 1450, and CAPA not until * RFC2449. So the < check is an easy way to prevent CAPA from @@ -204,7 +181,7 @@ int pop3_getauth(int sock, struct query *ctl, char *greeting) * it. This certainly catches IMAP-2000's POP3 gateway. * * These authentication methods are blessed by RFC1734, - * describing the POP3 AUTHentication command. + * describing the POP3 AUTHentication command. */ if (ctl->server.authenticate == A_ANY && strchr(greeting, '<') @@ -235,35 +212,53 @@ int pop3_getauth(int sock, struct query *ctl, char *greeting) if (strstr(buffer, "KERBEROS_V4")) has_kerberos = TRUE; #endif /* defined(KERBEROS_V4) || defined(KERBEROS_V5) */ - if (strstr(buffer, "CRAM-MD5")) - has_cram = TRUE; #ifdef OPIE_ENABLE if (strstr(buffer, "X-OTP")) - has_opie = TRUE; + has_otp = TRUE; #endif /* OPIE_ENABLE */ + if (strstr(buffer, "CRAM-MD5")) + has_cram = TRUE; } + /* + * Here's where we set priorities. Note that we must do tests + * in *reverse* order of desirability. + */ + if (has_cram) + ctl->server.authenticate = A_CRAM_MD5; +#ifdef OPIE_ENABLE + if (has_opie) + ctl->server.authenticate = A_OTP; +#endif /* OPIE_ENABLE */ #if defined(GSSAPI) - if ((ctl->server.authenticate == A_ANY - || ctl->server.authenticate==A_GSSAPI) - && has_gssapi) - return(do_gssauth(sock, "AUTH", - ctl->server.truename, ctl->remotename)); + if (has_gssapi) + ctl->server.authenticate = A_GSSAPI; #endif /* defined(GSSAPI) */ #if defined(KERBEROS_V4) || defined(KERBEROS_V5) - if ((ctl->server.authenticate == A_ANY - || ctl->server.authenticate==A_KERBEROS_V4 - || ctl->server.authenticate==A_KERBEROS_V5) - && has_kerberos) - return(do_rfc1731(sock, "AUTH", ctl->server.truename)); + if (has_kerberos) + ctl->server.authenticate = A_KERBEROS_V4; #endif /* defined(KERBEROS_V4) || defined(KERBEROS_V5) */ - if (has_cram) - return(do_cram_md5(sock, "AUTH", ctl)); + } + + /* + * OK, we have an authentication type now. + */ +#if defined(KERBEROS_V4) || defined(KERBEROS_V5) + if (ctl->server.authenticate == A_KERBEROS_V4 + || ctl->server.authenticate == A_KERBEROS_V5) + return(do_rfc1731(sock, "AUTH", ctl->server.truename)); +#endif /* defined(KERBEROS_V4) || defined(KERBEROS_V5) */ +#if defined(GSSAPI) + if (ctl->server.authenticate==A_GSSAPI)) + return(do_gssauth(sock, "AUTH", + ctl->server.truename, ctl->remotename)); +#endif /* defined(GSSAPI) */ #ifdef OPIE_ENABLE - if (has_opie) - do_otp(sock, "AUTH", ctl) + if (ctl->server.authenticate == A_OTP) + do_otp(sock, "AUTH", ctl) #endif /* OPIE_ENABLE */ - } + if (ctl->server.authenticate == A_CRAM_MD5) + return(do_cram_md5(sock, "AUTH", ctl)); /* ordinary validation, no one-time password or RPA */ gen_transact(sock, "USER %s", ctl->remotename); |