gssapi considered as PLAIN?
Hello,
as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes from capabilities. ([CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=GSSAPI AUTH=PLAIN AUTH=LOGIN] vs [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED])
Why? I'm wondering especially because at http://wiki2.dovecot.org/Authentication/Mechanisms, GSSAPI is correctly listed under “Non-plaintext authentication“.
Thanks,
-Harry
Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime):
On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote:
as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes from capabilities. Try setting login_trusted_networks to something you trust.
Thanks for the hint, but I don't want to offer PLAIN to my whole LAN. while I do want to offer GSSAPI to my whole LAN. Unfortunately that's not a workarround for me.
Thanks,
-Harry
On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote:
Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime):
On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote:
as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes from capabilities. Try setting login_trusted_networks to something you trust.
root@mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms auth_mechanisms = plain login gssapi root@mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth disable_plaintext_auth = yes root@mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks login_trusted_networks =
a CAPABILITY
- CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI
Must be something else ... Check my attached config for differences.
Cheer Jan
-- MAX-PLANCK-INSTITUT fuer Radioastronomie Jan Behrend - Rechenzentrum
Auf dem Huegel 69, D-53121 Bonn
Tel: +49 (228) 525 359, Fax: +49 (228) 525 229
jbehrend@mpifr-bonn.mpg.de http://www.mpifr-bonn.mpg.de
Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:01 (localtime):
On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote:
Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime):
On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote:
as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes from capabilities. Try setting login_trusted_networks to something you trust. root@mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms auth_mechanisms = plain login gssapi root@mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth disable_plaintext_auth = yes root@mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks login_trusted_networks =
a CAPABILITY
- CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI
You don't see LOGINDISABLED, so I guess rip==lip (you tested @localhost), right?
Thanks,
-Harry
On Wed, 2014-11-05 at 17:04 +0100, Harry Schmalzbauer wrote:
Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:01 (localtime):
On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote:
Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime):
On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote:
as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes from capabilities. Try setting login_trusted_networks to something you trust. root@mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms auth_mechanisms = plain login gssapi root@mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth disable_plaintext_auth = yes root@mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks login_trusted_networks =
a CAPABILITY
- CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI
You don't see LOGINDISABLED, so I guess rip==lip (you tested @localhost), right?
No, but I didn't show all of it ;-). Here it is:
jbehrend@jb1:~$ gnutls-cli --starttls --x509cafile /etc/ssl/certs/Max-Planck-Gesellschaft.pem -p 143 imap.mpifr-bonn.mpg.de Processed 1 CA certificate(s). Resolving 'imap.mpifr-bonn.mpg.de'... Connecting to '134.104.18.77:143'...
- Simple Client Mode:
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready. a starttls a OK Begin TLS negotiation now. *** Starting TLS handshake
- Ephemeral Diffie-Hellman parameters
- Using prime: 1024 bits
- Secret key: 1023 bits
- Peer's public key: 1023 bits
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject
C=DE,ST=Nordrhein-Westfalen,L=Bonn,O=Max-Planck-Gesellschaft,OU=Max-Planck-Institut fuer Radioastronomie,CN=imap.mpifr-bonn.mpg.de', issuerC=DE,O=Max-Planck-Gesellschaft,CN=MPG CA,EMAIL=mpg-ca@mpg.de', RSA key 4096 bits, signed using RSA-SHA1, activated2014-05-06 11:17:21 UTC', expires2019-05-05 11:17:21 UTC', SHA-1 fingerprint `c0b4fb497ac212f0e05de24f2c097a0b712435cc' - The hostname in the certificate matches 'imap.mpifr-bonn.mpg.de'.
- Peer's certificate is trusted
- Version: TLS1.2
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL a CAPABILITY
- CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI a OK Pre-login capabilities listed, post-login capabilities have more.
Cheers Jan
-- MAX-PLANCK-INSTITUT fuer Radioastronomie Jan Behrend - Rechenzentrum
Auf dem Huegel 69, D-53121 Bonn
Tel: +49 (228) 525 359, Fax: +49 (228) 525 229
jbehrend@mpifr-bonn.mpg.de http://www.mpifr-bonn.mpg.de
Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:15 (localtime):
On Wed, 2014-11-05 at 17:04 +0100, Harry Schmalzbauer wrote:
Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:01 (localtime):
On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote:
Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime):
On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote:
as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes from capabilities. Try setting login_trusted_networks to something you trust. root@mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms auth_mechanisms = plain login gssapi root@mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth disable_plaintext_auth = yes root@mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks login_trusted_networks =
a CAPABILITY
- CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI You don't see LOGINDISABLED, so I guess rip==lip (you tested @localhost), right? No, but I didn't show all of it ;-). Here it is:
jbehrend@jb1:~$ gnutls-cli --starttls --x509cafile /etc/ssl/certs/Max-Planck-Gesellschaft.pem -p 143 imap.mpifr-bonn.mpg.de Processed 1 CA certificate(s). Resolving 'imap.mpifr-bonn.mpg.de'... Connecting to '134.104.18.77:143'...
- Simple Client Mode:
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready. a starttls a OK Begin TLS negotiation now. *** Starting TLS handshake
- Ephemeral Diffie-Hellman parameters
- Using prime: 1024 bits
- Secret key: 1023 bits
- Peer's public key: 1023 bits
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject
C=DE,ST=Nordrhein-Westfalen,L=Bonn,O=Max-Planck-Gesellschaft,OU=Max-Planck-Institut fuer Radioastronomie,CN=imap.mpifr-bonn.mpg.de', issuerC=DE,O=Max-Planck-Gesellschaft,CN=MPG CA,EMAIL=mpg-ca@mpg.de', RSA key 4096 bits, signed using RSA-SHA1, activated2014-05-06 11:17:21 UTC', expires2019-05-05 11:17:21 UTC', SHA-1 fingerprint `c0b4fb497ac212f0e05de24f2c097a0b712435cc'- The hostname in the certificate matches 'imap.mpifr-bonn.mpg.de'.
- Peer's certificate is trusted
- Version: TLS1.2
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL a CAPABILITY
- CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI a OK Pre-login capabilities listed, post-login capabilities have more.
Sorry, I might have been unclear. Of course, AUTH=GSSAPI is offered if connection passes STARTTLS, along WITH PLAIN (and LOGIN), but the intention of "disable_plaintext_auth" is to prevent PLAIN if _no_ encryption level was negotiated. So you see LOGINDISABLED before TLS session and also _no_ GSSAPI! At that point (no encryption negotiated) I want to be able to get my kerberos ticket validated :-)
disable_plaintext_auth = yes works as expected for PLAIN (and LOGIN); it doesn't offer until encryption successfully took place. But I don't expect GSSAPI also beeing disabled (regardless if encryption is available or not). I have no idea why this could be the intended behaviour, and hope somebody can enlighten me :-)
Thanks,
-Harry
Bezüglich Harry Schmalzbauer's Nachricht vom 05.11.2014 18:04 (localtime): …
Sorry, I might have been unclear. Of course, AUTH=GSSAPI is offered if connection passes STARTTLS, along WITH PLAIN (and LOGIN), but the intention of "disable_plaintext_auth" is to prevent PLAIN if _no_ encryption level was negotiated. So you see LOGINDISABLED before TLS session and also _no_ GSSAPI! At that point (no encryption negotiated) I want to be able to get my kerberos ticket validated :-)
disable_plaintext_auth = yes works as expected for PLAIN (and LOGIN); it doesn't offer until encryption successfully took place. But I don't expect GSSAPI also beeing disabled (regardless if encryption is available or not). I have no idea why this could be the intended behaviour, and hope somebody can enlighten me :-)
Sorry for the noise. For those with the same intention and the same problem:
I had "ssl = required" set. That of course doesn't return any AUTH method unless encryptino was negotiated. Setting it to "ssl = yes" instead leads to expected results in all variants :-)
Thanks,
-Harry
participants (3)
-
Hans Morten Kind
-
Harry Schmalzbauer
-
Jan Behrend