[PATCH] GSSAPI single sign-on for SMTP, POP3

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[PATCH] GSSAPI single sign-on for SMTP, POP3

Albrecht Dreß
Hi all,

a while ago a user requested GSSAPI (Kerberos v5 single sign-on, RFC 4752) authentication for SMTP.  The attached patch implements it for both SMTP and POP3 in addition to IMAP, i.e. with this patch, Balsa now offers SSO for /all/ server connections.

Basically, I added a few helper functions to libnetclient, which are used in the specific authentication methods.  As the GSSAPI tokens can be /very/ long, the maximum line length for SMTP needs to be enhanced.  This also revealed a bug in the net-client.c function net_client_vwrite_line() which used a too short fixed-length buffer (replaced by a GString).

As single sign-on requires only the user name, but not a password, I had to extend the auth signal handler with an indication whether the password is needed or not.

Unfortunately, I can not write "simple" unit tests as my test "server" (INetSim) does not support GSSAPI.  For testing, I installed a Debian VM with Samba4 (which is so nice to configure Kerberos appropriately for me, which otherwise is a real PITA!) plus postfix and dovecot exclusively supporting GSSAPI authentication.  Afaict, this implementation works just fine there.  However, some more testing with "real world" setups would be highly appreciated.

As always, any comment will be welcome!

Cheers,
Albrecht.

---
Patch details:
- libbalsa/server.[ch]: changed auth signal handler footprint; check if a password is needed
libnetclient/net-client-pop.h, libnetclient/net-client-smtp.h, libnetclient/README, libnetclient/libnetclient.dox: documentation updates
- libnetclient/net-client-pop.[ch], libnetclient/net-client-smtp.[ch]: implement GSSAPI authentication
- libnetclient/net-client-utils.[ch]: implement GSSAPI authentication helper functions
- libnetclient/net-client.[ch]: use a GString instead of a fixed-length line buffer, change auth signal handler footprint
- libnetclient/test/tests.c: fix unit tests
_______________________________________________
balsa-list mailing list
[hidden email]
https://mail.gnome.org/mailman/listinfo/balsa-list

gssapi-smtp-pop.diff.bz2 (13K) Download Attachment
attachment1 (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] GSSAPI single sign-on for SMTP, POP3

Peter Bloomfield
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Albrecht:

On 04/25/2017 01:43:04 PM Tue, Albrecht Dreß wrote:

> Hi all,
>
> a while ago a user requested GSSAPI (Kerberos v5 single sign-on, RFC 4752) authentication for SMTP.  The attached patch implements it for both SMTP and POP3 in addition to IMAP, i.e. with this patch, Balsa now offers SSO for /all/ server connections.
>
> Basically, I added a few helper functions to libnetclient, which are used in the specific authentication methods.  As the GSSAPI tokens can be /very/ long, the maximum line length for SMTP needs to be enhanced.  This also revealed a bug in the net-client.c function net_client_vwrite_line() which used a too short fixed-length buffer (replaced by a GString).
>
> As single sign-on requires only the user name, but not a password, I had to extend the auth signal handler with an indication whether the password is needed or not.
>
> Unfortunately, I can not write "simple" unit tests as my test "server" (INetSim) does not support GSSAPI.  For testing, I installed a Debian VM with Samba4 (which is so nice to configure Kerberos appropriately for me, which otherwise is a real PITA!) plus postfix and dovecot exclusively supporting GSSAPI authentication.  Afaict, this implementation works just fine there.  However, some more testing with "real world" setups would be highly appreciated.
>
> As always, any comment will be welcome!

Many thanks for the patch!

It builds and runs for me, but I have no way of testing GSSAPI authentication, so I've pushed it to master to allow wider testing.

Peter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlj/9T4ACgkQH1/UtbkqdPVPjwCfcS6Qlq0TucA1G8eqVkSkS/31
WTkAoIiyHtsSwrCtDPp3uYddcAPJwqLO
=rh0w
-----END PGP SIGNATURE-----
_______________________________________________
balsa-list mailing list
[hidden email]
https://mail.gnome.org/mailman/listinfo/balsa-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] GSSAPI single sign-on for SMTP, POP3

Albrecht Dreß
Hi Peter:

Am 26.04.17 03:17 schrieb(en) Peter Bloomfield:
> Many thanks for the patch!
>
> It builds and runs for me, but I have no way of testing GSSAPI authentication, so I've pushed it to master to allow wider testing.

Thanks for pushing - yes, testing is difficult, as the whole infrastructure has to be configured.  I hope someone using such an environment (M$ Exchange?) can help us here...

Cheers,
Albrecht.
_______________________________________________
balsa-list mailing list
[hidden email]
https://mail.gnome.org/mailman/listinfo/balsa-list

attachment0 (484 bytes) Download Attachment
Loading...