RE: help with gssapi smtp auth

[Umapati Singh]

a quick question : the README of Libntlm (downloaded from
http://josefsson.org/libntlm/) has a sample code for imap and says :
"The application program must convert these structures to/from base64 which
is used to transfer data for IMAP authentication."

Does that mean i cant use it for SMTP AUTH???  i may sound a little deranged
but its just that i dont want to think of anything other than SMTP AUTH.

Trying to keep pace... please bear with me!!!!

Regards,
Umapati


-----Original Message-----
From: Simon Josefsson [mailto:address@hidden
Sent: Thursday, December 15, 2005 12:14 PM
To: Umapati Singh
Cc: address@hidden
Subject: Re: help with gssapi smtp auth


"Umapati Singh" <address@hidden> writes:

> Dear Sir,
>
> I will tell you reason behind the sudden courtesy.  I never realised the
> resemblence of your last name with this website http://josefsson.org/gss/.
> Only then I realised, who I was speaking to. Indeed I am a late entrant
into
> the FSF/GNU arena.
>
> Once again, I thank you for your patience.
>
> Now that I know my question is in safe hands, you cant imagine how
relieved
> i feel.
>
> So, here we go ....
>
> I installed your GNU GSS and ran configure.... and as you said it did fail
> because i didnt know it needed shishi/kerberos... so could you tell me
where
> to get the exact/appropriate version from.

Hi again.  See http://josefsson.org/shishi/

> Meanwhile I am trying to install every rpm that has krb in
> it.... using aptitude.

That will likely be easier than getting Shishi and GSS up and running,
and will solve your problem faster than installing GNU Shishi and GNU
GSS.  Make sure you get packages that include "gssapi.h" and a
libgssapi*.so.

Of course, I'd like to believe that my implementations are superior to
others out there, but I acknowledge that Shishi and GSS are not as
mature as MIT Kerberos or Heimdal, so depending on your needs, you may
be better of with MIT Kerberos or Heimdal.

> Also, let me see if i understand this correctly, you are saying i am still
> good to go with ntlm.... do you thing with where i am now, i still have a
> long way to go...
>
> but anyways, i will try to start on ntlm too...

You need to install libntlm before installing GNU SASL, otherwise
gsasl will not enable libntlm.  Get libntlm from:

http://josefsson.org/libntlm/

> thanks and regards,
> umapati
>
> P.S. HAIL SIMON!!!!!!

Good luck,
Simon

>
>
> -----Original Message-----
> From: Simon Josefsson [mailto:address@hidden
> Sent: Thursday, December 15, 2005 11:35 AM
> To: Umapati Singh
> Cc: address@hidden
> Subject: Re: help with gssapi smtp auth
>
>
> "Umapati Singh" <address@hidden> writes:
>
>> Thank You So Very Much!!!!
>>
>> As for the CC:ing, I thought of doing it myself, but didnt want everyone
> to
>> know how dumb i am ;)
>>
>> Although, I am still a long way away from home :)
>
> Hehe, don't worry, it will most likely help others in the future.
>
>> Now, I have tried compiling msmtp and gnu's sasl too.  GNU SASL doesnt
>> compile well for GSSAPI.  The error I get is :]
>>
>> while running ./configure in the beginning:
>>      configure: checking for GSS implementation
>>      configure: auto-detecing GSS/MIT/Heimdal
>>      configure: use --enable-gssapi=IMPL to override
>>      configure: where IMPL is `gss', `mit', or `heimdal'
>>      checking for libgss... no
>>      configure: WARNING: GNU GSS not found (see http://josefsson.org/gss/)...
>>      checking for krb5-config... no
>>      configure: WARNING: krb5-config not found, disabling GSSAPI
>>      checking if GSSAPI should be used... no
>>
>> Thereafter, it flags off (using #) the GSSAPI functionality through the
>> appropriate makefiles.  Turning them ON manually doesnt help.
>> Also when i try to do a 'man gss_import_name", it says : No manual entry
> for
>> gss_import_name
>
> You need to install a GSS library first.
>
> You can use my GNU GSS, or use the GSS-API library in MIT Kerberos or
> Heimdal.  All three should work.
>
> Another warning: GNU GSS require that you have installed GNU Shishi
> first, since Shishi is the Kerberos V5 implementation used by GNU GSS.
>
>> Also, I have tried the RFCs too, but as you yourself said, I found that
>> implementing them would be time-consuming if not difficult.
>
> Right.
>
>> You have mentioned that NTLM would be less complex, but would you advise
>> changing course now... i had completely ignored ntlm from day one coz i
>> believe its Microsoft's proprietery implementation.
>
> Depends.  Are you sure that your server really support GSSAPI
> authentication?  Perhaps it claim to support it, but would never
> actually let you in.  If so, NTLM may be your only choice.  Try
> 'tcpdump' a connection to the mail server with another mail client, if
> you have any that can send mail through the server.
>
> GSSAPI is technically superior, so if you are concerned with security,
> you should try to make it work.  In contrast, NTLM is insecure.
>
>> As of now, I am trying download the GNU GSS and see if that would
help....
>
> That's a good idea.  MIT Kerberos V5 or Heimdal may be more tested, so
> if you run into problems, you could try them instead.  However, I'd be
> happy to do what little I can to help you remotely to get it to work.
>
> Regards,
> Simon
>
>> Meanwhile, I would appreciate if you could guide me further.
>>
>> Regards,
>> Umapati
>>
>> P.S. Thanks for your efforts again!!!!
>>
>>
>>
>> -----Original Message-----
>> From: Simon Josefsson [mailto:address@hidden
>> Sent: Thursday, December 15, 2005 10:54 AM
>> To: Umapati Singh
>> Cc: address@hidden
>> Subject: Re: help with gssapi smtp auth
>>
>>
>> Hi again.  I'm Cc:ing the mailing list, in case others are interested,
>> I hope you don't mind.
>>
>> The data are GSS-API blobs.  You could use GNU SASL to produce them.
>> If you want to implement it all yourself, you need to implement these
>> protocols:
>>
>> http://www.ietf.org/rfc/rfc1964.txt
>> http://www.ietf.org/rfc/rfc2222.txt
>> http://www.ietf.org/rfc/rfc2743.txt
>> http://www.ietf.org/rfc/rfc2744.txt
>>
>> That is fairly complex, so it is probably easier to simply use GNU
>> SASL for the SASL part, GNU GSS for the GSS-API part and GNU Shishi
>> for the Kerberos V5 part.
>>
>> NTLM is slightly less complex, you would only need GNU SASL for the
>> SASL part and Libntlm for the NTLM part.
>>
>> Hope this helps,
>> Simon
>>
>> "Umapati Singh" <address@hidden> writes:
>>
>>> also, could you please elaborate on the messages that you passed after
>> AUTH
>>> GSSAPI.  its not simple base64 encoded username and password, i see.  so
>>> where did u exactly these strings from.....  i hope im coherent....
>>>
>>> waiting eagerly for an arly reponse,
>>> umapati
>>>
>>> -----Original Message-----
>>> From: Simon Josefsson [mailto:address@hidden
>>> Sent: Thursday, December 15, 2005 4:41 AM
>>> To: Umapati Singh
>>> Cc: address@hidden
>>> Subject: Re: help with gssapi smtp auth
>>>
>>>
>>> "Umapati Singh" <address@hidden> writes:
>>>
>>>> Hi all,
>>>>
>>>> I am trying to obtain STMP AUTH using the gssapi mechanism.  Can anyone
>>>> please provide me with a sample/screesnshot for  a gssapi session so
> that
>>>> i could know what messages and in what order do they need to be passed.
>>>
>>> Hi!  Below is the output from GNU SASL connecting to a SMTP server,
>>> upgrading the connection to TLS (using GnuTLS) and authenticating
>>> using the Kerberos V5 implementation in GNU Shishi via GNU GSS.  I
>>> think the SMTP server is Sendmail linked to Heimdal.
>>>
>>> Other GSS-API implementations, such as MIT Kerberos, Heimdal or Sun's,
>>> should work too.
>>>
>>> Hope this helps,
>>> Simon
>>>
>>> PS.  The 'libshishi' warning below is because the server is using
>>> buggy Kerberos V5 libraries.
>>>
>>> address@hidden:~$ gsasl --smtp smtp.nada.kth.se
>>> Trying `smtp.nada.kth.se'...
>>> 220 smtp.nada.kth.se ESMTP Sendmail 8.12.11/8.12.11; Thu, 15 Dec 2005
>>> 10:35:07 +0100 (MET)
>>> EHLO [127.0.0.1]
>>> 250-smtp.nada.kth.se Hello h14n1c1o1033.bredband.skanova.com
>>> [81.225.104.14], pleased to meet you
>>> 250-ENHANCEDSTATUSCODES
>>> 250-PIPELINING
>>> 250-8BITMIME
>>> 250-SIZE
>>> 250-DSN
>>> 250-AUTH GSSAPI
>>> 250-STARTTLS
>>> 250-DELIVERBY
>>> 250 HELP
>>> STARTTLS
>>> 220 2.0.0 Ready to start TLS
>>> EHLO [127.0.0.1]
>>> 250-smtp.nada.kth.se Hello h14n1c1o1033.bredband.skanova.com
>>> [81.225.104.14], pleased to meet you
>>> 250-ENHANCEDSTATUSCODES
>>> 250-PIPELINING
>>> 250-8BITMIME
>>> 250-SIZE
>>> 250-DSN
>>> 250-AUTH GSSAPI PLAIN
>>> 250-DELIVERBY
>>> 250 HELP
>>> AUTH GSSAPI
>>> 334
>>> libshishi: warning: KDC bug: Reply encrypted using wrong key.
>>>
>>
>
YIICEQYJKoZIhvcSAQICAQBuggIAMIIB/KADAgEFoQMCAQ6iBwMFACAAAACjggETYYIBDzCCAQug
>>>
>>
>
AwIBBaENGwtOQURBLktUSC5TRaIjMCGgAwIBAaEaMBgbBHNtdHAbEHNtdHAubmFkYS5rdGguc2Wj
>>>
>>
>
gc8wgcygAwIBEKEDAgEJooG/BIG8msq2xygko4Lv0Agu5pW6SEundUbFK5swuopukvx9kTidWULb
>>>
>>
>
/Ab490wQbtnKx3lmM3BFvNFvuUyD3zvh9PHggwz7T7eZYSCDaovIL/QZ0ismF3lZejZBSwBhgLDA
>>>
>>
>
DQuk4nZHbbeoU9Lk+1jzsMJguNh6Ot3G6o8WLqFZoe8pi3NuxzSdjutjg3O9s/fasuSB9T85bq6o
>>>
>>
>
IMWGr5HHRNBNUF4x11tK3ytpsVoMNpKng3d4bY8tLgnxxLCmREakgc8wgcygAwIBEKEDAgEBooG/
>>>
>>
>
BIG8SPCDQwKGzJfZGg+MgqQquBiGBXA2uy/08gPE19vuTBP7XyL2H4EaVqtl71MeVxExbat/CNAK
>>>
>>
>
3dMXkNqR6VHxZqb+ky8MYMDo452Z1sN6BfIsKcsy2BcYTwFJMtgdn21vTWVHtMPH3wtXPuPFGn3j
>>>
>>
>
igjsXiAyytXi1Y4p4Tni+ox5ndlZuqBJGeThVxyZIpCEI+5rWflxDIYVa/8CAcRUPQqoDpQIs5zk
>>> wfoPQtTdfRLdph5VxQ79N9PnvnQ=
>>> 334
>>>
>>
>
YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgRE2FBXYUbT0MVIicgLYE/F
>>> Ky6CcrvfQxZaoxyt05qqxJBL13kqneza/TKe5i0mjsN0Nc90KW/l4rL0eQ76vWMenaE1Lw8=
>>>
>>> 334
>>>
>>
>
YD8GCSqGSIb3EgECAgIBBAD/////IGqNk7Rz3+kPdzT9oYPRWnQi/ESL0p3EeQ2yNLWArrmdOzxp
>>> BwAgAAQEBAQ=
>>> Using system username `jas' as authentication identity.
>>>
>>
>
YD8GCSqGSIb3EgECAgIBBAD/////JhNtx+GhzYe54NY92BltbUHD6i02upmatfXUnIGrBR5vT5yu
>>> AQAgAGphcwE=
>>> 235 2.0.0 OK Authenticated
>>> Client authentication finished (server trusted)...
>>> Enter application data (EOF to finish):
>>> quit
>>> 221 2.0.0 smtp.nada.kth.se closing connection
>>> Session finished...
>>> QUIT
>>> address@hidden:~$