Bug#624831: cyrus-clients-2.4: with TLS, falsely claims AUTH=GSSAPI not allowed
brian m. carlson
sandals at crustytoothpaste.net
Sun May 1 22:27:08 UTC 2011
Package: cyrus-clients-2.4
Version: 2.4.8-1
Severity: normal
File: /usr/bin/imtest
I use Kerberos 5 and GSSAPI to authenticate to my IMAP server. If and
only if I use TLS, imtest will claim (falsely) that AUTH=GSSAPI was not
advertised by the server and refuses to use it to authenticate.
Without TLS:
lakeview ok % imtest -m gssapi -a bmc -u bmc castro.crustytoothpaste.net
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI] Dovecot ready.
C: A01 AUTHENTICATE GSSAPI YIICiwYJKoZIhvcSAQICAQBuggJ6MIICdqADAgEFoQMCAQ6iBwMFACAAAACjggGHYYIBgzCCAX+gAwIBBaEWGxRDUlVTVFlUT09USFBBU1RFLk5FVKIuMCygAwIBA6ElMCMbBGltYXAbG2Nhc3Ryby5jcnVzdHl0b290aHBhc3RlLm5ldKOCAS4wggEqoAMCARKhAwIBA6KCARwEggEYv2/jz5gOWcY4wNFhqzqWWg2+SycooHlzQXII0N7Dvy9eTGz07b0NF0aOo5SWysWQyYWBeKXq4MYeDwvMyWkb8qRt9B7hD5yRFyvmF0lnKTOlLlziPQqjbNdlGV5ylqzywbNrgnmxiOiZTWOQLIRmcGtknB8+oA9JXFKe3PmlTNvkC31n2cXloIfUgwytP++nTjyFkASAkG9tR5U4W1wiOWFRQV1YOoBIt5M62p8eyHAkTkSVRKKFeHHcGfQRlBHqewsDaWrleqEutf9XIxi2LoGp6nNxFTaAh4RwK1pkDLX//d6WD+tIQ3LQkEu3Z2Kfp2A54nka5TxQBoxw216VCTn7zXQTGtZ7q0pJPolhFAmlaWTVbuYI66SB1TCB0qADAgESooHKBIHHPbzujrKJK2e4u0DdiLLIUe7ZyQEWTX1RByFWMk0kOCksHanwCatPR90lzSUWXRGCCWbh+tQbYuNcUvqZjtMftze5zAi2tybd4i9jfQn/vsHqfMzUipUdHINhH82WHHnqXl/wpDZoSUGl625HbOcVzQ/ZibXzBkauRaJzGqGPTGCQyG7XnOd49SrMog/wnShZWWnxxtb4vA8j9P4K7utnLlus6fyRNmrr8gCQBZbsjc2nQa7LvAzdBbD/w9Xe35AvoMmOx1+EKw==
S: + YIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuHtj7bv6FGvuM3O246mku8t3aSII0oHHuK42IFk9H1DU1Z4X0LR3f/TCvwey7onWvFw3EYcb2AK+U4OSGZeQxNSMvMjS+ehsORO0VU6e7mjubPgWLYOFk46rD6JOgLARwqTvk+VY7IlOwHBkFp1U=
C:
S: + BQQF/wAMAAAAAAAAACnL+gH///+LEFHiRTCAlZdkwC8=
C: BQQE/wAMAAAAAAAAGhhgsQEABABibWOYm+w/FHPzV9btWvw=
S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
Authenticated.
Security strength factor: 0
Q01 LOGOUT
* BYE Logging out
Q01 OK Logout completed.
Connection closed.
With TLS:
lakeview ok % imtest -t "" -m gssapi -a bmc -u bmc castro.crustytoothpaste.net
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI] Dovecot ready.
C: S01 STARTTLS
S: S01 OK Begin TLS negotiation now.
verify error:num=18:self signed certificate
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=GSSAPI
S: C01 OK Pre-login capabilities listed, post-login capabilities have more.
[Server did not advertise AUTH=GSSAPI]
Authentication failed. generic failure
Security strength factor: 256
Q01 LOGOUT
* BYE Logging out
Q01 OK Logout completed.
Connection closed.
As you can see, the server did in fact advertise AUTH=GSSAPI and it
works just fine under TLS with mutt. Dovecot was just upgraded to
2.0.12; I don't know if this is related. From my reading of RFC 3501,
though, Dovecot's behavior seems to be in compliance with the standard.
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cyrus-clients-2.4 depends on:
ii libc6 2.11.2-13 Embedded GNU C Library: Shared lib
ii libdb5.1 5.1.25-10 Berkeley v5.1 Database Libraries [
ii libsasl2-2 2.1.23.dfsg1-8 Cyrus SASL - authentication abstra
ii libssl1.0.0 1.0.0d-2 SSL shared libraries
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
cyrus-clients-2.4 recommends no packages.
cyrus-clients-2.4 suggests no packages.
-- no debconf information
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cyrus-imapd-debian-devel/attachments/20110501/6d3c6847/attachment.pgp>
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list