[Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 -> 1.2.4 Upgrade

John Marshall john.marshall at riverwillow.com.au
Fri Aug 28 08:20:42 EEST 2009 

This morning I upgraded a dovecot installation from 1.1.16 to 1.2.4 on a
FreeBSD 7.2 server, and then spent 3 hours trying to figure out why
GSSAPI authentication had broken.

It turned out to be a recent change in Dovecot's mech-gssapi.c to do
with checking for NULs in usernames: everything worked fine when I
disabled that test.
<http://hg.dovecot.org/dovecot-1.2/rev/5d53b1d66d1b>

This is what I was seeing in the log file with auth_debug enabled:

  ------------------------
  auth(default): client in: AUTH 1       GSSAPI service=imap    secured lip=192.0.2.36        rip=192.0.2.168       lport=143       rport=51168
  auth(default): gssapi(?,192.0.2.168): Obtaining credentials for imap at mail1.example.com
  auth(default): client out: CONT        1       
  auth(default): client in: CONT<hidden>
  auth(default): gssapi(john at EXAMPLE.COM,192.0.2.168): security context state completed.
  auth(default): client out: CONT        1      YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgREIuGJR3fqiMdvWjEg6utI7bt3fZuI8Ulk4LoFu59aMgnX+Kivdohxin2A71UCEC7oG0sVYe7vrTjg2N9s27D1BLRuJbQ=
  auth(default): client in: CONT<hidden>
  auth(default): gssapi(john at EXAMPLE.COM,192.0.2.168): Negotiated security layer
  auth(default): client out: CONT        1      YD8GCSqGSIb3EgECAgIBBAD/////MINNkeu5LVS8fiZNSnb8j8iKBuHArr/sHec++VYV+9SSc+RkAf///wQEBAQ=
  auth(default): client in: CONT<hidden>
  auth(default): gssapi(john at EXAMPLE.COM,192.0.2.168): authz_name has NULs
  auth(default): client out: FAIL        1       user=john at EXAMPLE.COM imap-login: Disconnected (auth failed, 1 attempts): user=<john at EXAMPLE.COM>, method=GSSAPI, rip=192.0.2.168, lip=192.0.2.36, TLS: Disconnected
  ------------------------

I commented out the 'return -1;' at the end of the if(data_has_nuls)
block (to preserve the log message but fall through), rebuilt, and
everything works again.

  ------------------------
  auth(default): gssapi(john at EXAMPLE.COM,192.0.2.168): authz_name has NULs
  auth(default): client out: OK  1       user=john at EXAMPLE.COM
  ------------------------

I tried building dovecot 1.2.4 with Heimdal 0.6.3, 1.0.1 and 1.2.1 and
all gave the same result.  Is it possible that the data_has_nuls test
doesn't work as intended or that it only works with MIT Kerberos?

Thank you.

-- 
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090828/d118d9f4/attachment-0001.bin

More information about the dovecot mailing list