Bug#624831: cyrus-clients-2.4: with TLS, falsely claims AUTH=GSSAPI not allowed

brian m. carlson sandals at crustytoothpaste.net
Sun May 1 22:27:08 UTC 2011 

Package: cyrus-clients-2.4
Version: 2.4.8-1
Severity: normal
File: /usr/bin/imtest

I use Kerberos 5 and GSSAPI to authenticate to my IMAP server.  If and
only if I use TLS, imtest will claim (falsely) that AUTH=GSSAPI was not
advertised by the server and refuses to use it to authenticate.

Without TLS:

  lakeview ok % imtest -m gssapi -a bmc -u bmc castro.crustytoothpaste.net 
  S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI] Dovecot ready.
  C: A01 AUTHENTICATE GSSAPI YIICiwYJKoZIhvcSAQICAQBuggJ6MIICdqADAgEFoQMCAQ6iBwMFACAAAACjggGHYYIBgzCCAX+gAwIBBaEWGxRDUlVTVFlUT09USFBBU1RFLk5FVKIuMCygAwIBA6ElMCMbBGltYXAbG2Nhc3Ryby5jcnVzdHl0b290aHBhc3RlLm5ldKOCAS4wggEqoAMCARKhAwIBA6KCARwEggEYv2/jz5gOWcY4wNFhqzqWWg2+SycooHlzQXII0N7Dvy9eTGz07b0NF0aOo5SWysWQyYWBeKXq4MYeDwvMyWkb8qRt9B7hD5yRFyvmF0lnKTOlLlziPQqjbNdlGV5ylqzywbNrgnmxiOiZTWOQLIRmcGtknB8+oA9JXFKe3PmlTNvkC31n2cXloIfUgwytP++nTjyFkASAkG9tR5U4W1wiOWFRQV1YOoBIt5M62p8eyHAkTkSVRKKFeHHcGfQRlBHqewsDaWrleqEutf9XIxi2LoGp6nNxFTaAh4RwK1pkDLX//d6WD+tIQ3LQkEu3Z2Kfp2A54nka5TxQBoxw216VCTn7zXQTGtZ7q0pJPolhFAmlaWTVbuYI66SB1TCB0qADAgESooHKBIHHPbzujrKJK2e4u0DdiLLIUe7ZyQEWTX1RByFWMk0kOCksHanwCatPR90lzSUWXRGCCWbh+tQbYuNcUvqZjtMftze5zAi2tybd4i9jfQn/vsHqfMzUipUdHINhH82WHHnqXl/wpDZoSUGl625HbOcVzQ/ZibXzBkauRaJzGqGPTGCQyG7XnOd49SrMog/wnShZWWnxxtb4vA8j9P4K7utnLlus6fyRNmrr8gCQBZbsjc2nQa7LvAzdBbD/w9Xe35AvoMmOx1+EKw==
  S: + YIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuHtj7bv6FGvuM3O246mku8t3aSII0oHHuK42IFk9H1DU1Z4X0LR3f/TCvwey7onWvFw3EYcb2AK+U4OSGZeQxNSMvMjS+ehsORO0VU6e7mjubPgWLYOFk46rD6JOgLARwqTvk+VY7IlOwHBkFp1U=
  C: 
  S: + BQQF/wAMAAAAAAAAACnL+gH///+LEFHiRTCAlZdkwC8=
  C: BQQE/wAMAAAAAAAAGhhgsQEABABibWOYm+w/FHPzV9btWvw=
  S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
  Authenticated.
  Security strength factor: 0
  Q01 LOGOUT
  * BYE Logging out
  Q01 OK Logout completed.
  Connection closed.

With TLS:

  lakeview ok % imtest -t "" -m gssapi -a bmc -u bmc castro.crustytoothpaste.net
  S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI] Dovecot ready.
  C: S01 STARTTLS
  S: S01 OK Begin TLS negotiation now.
  verify error:num=18:self signed certificate
  TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
  C: C01 CAPABILITY
  S: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=GSSAPI
  S: C01 OK Pre-login capabilities listed, post-login capabilities have more.
  [Server did not advertise AUTH=GSSAPI]
  Authentication failed. generic failure
  Security strength factor: 256
  Q01 LOGOUT
  * BYE Logging out
  Q01 OK Logout completed.
  Connection closed.

As you can see, the server did in fact advertise AUTH=GSSAPI and it
works just fine under TLS with mutt.  Dovecot was just upgraded to
2.0.12; I don't know if this is related.  From my reading of RFC 3501,
though, Dovecot's behavior seems to be in compliance with the standard.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cyrus-clients-2.4 depends on:
ii  libc6                   2.11.2-13        Embedded GNU C Library: Shared lib
ii  libdb5.1                5.1.25-10        Berkeley v5.1 Database Libraries [
ii  libsasl2-2              2.1.23.dfsg1-8   Cyrus SASL - authentication abstra
ii  libssl1.0.0             1.0.0d-2         SSL shared libraries
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

cyrus-clients-2.4 recommends no packages.

cyrus-clients-2.4 suggests no packages.

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cyrus-imapd-debian-devel/attachments/20110501/6d3c6847/attachment.pgp>

More information about the Pkg-Cyrus-imapd-Debian-devel mailing list