John Marshall
2009-Aug-28 05:20 UTC
[Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 -> 1.2.4 Upgrade
This morning I upgraded a dovecot installation from 1.1.16 to 1.2.4 on a FreeBSD 7.2 server, and then spent 3 hours trying to figure out why GSSAPI authentication had broken. It turned out to be a recent change in Dovecot's mech-gssapi.c to do with checking for NULs in usernames: everything worked fine when I disabled that test. <http://hg.dovecot.org/dovecot-1.2/rev/5d53b1d66d1b> This is what I was seeing in the log file with auth_debug enabled: ------------------------ auth(default): client in: AUTH 1 GSSAPI service=imap secured lip=192.0.2.36 rip=192.0.2.168 lport=143 rport=51168 auth(default): gssapi(?,192.0.2.168): Obtaining credentials for imap at mail1.example.com auth(default): client out: CONT 1 auth(default): client in: CONT<hidden> auth(default): gssapi(john at EXAMPLE.COM,192.0.2.168): security context state completed. auth(default): client out: CONT 1 YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgREIuGJR3fqiMdvWjEg6utI7bt3fZuI8Ulk4LoFu59aMgnX+Kivdohxin2A71UCEC7oG0sVYe7vrTjg2N9s27D1BLRuJbQ auth(default): client in: CONT<hidden> auth(default): gssapi(john at EXAMPLE.COM,192.0.2.168): Negotiated security layer auth(default): client out: CONT 1 YD8GCSqGSIb3EgECAgIBBAD/////MINNkeu5LVS8fiZNSnb8j8iKBuHArr/sHec++VYV+9SSc+RkAf///wQEBAQ auth(default): client in: CONT<hidden> auth(default): gssapi(john at EXAMPLE.COM,192.0.2.168): authz_name has NULs auth(default): client out: FAIL 1 user=john at EXAMPLE.COM imap-login: Disconnected (auth failed, 1 attempts): user=<john at EXAMPLE.COM>, method=GSSAPI, rip=192.0.2.168, lip=192.0.2.36, TLS: Disconnected ------------------------ I commented out the 'return -1;' at the end of the if(data_has_nuls) block (to preserve the log message but fall through), rebuilt, and everything works again. ------------------------ auth(default): gssapi(john at EXAMPLE.COM,192.0.2.168): authz_name has NULs auth(default): client out: OK 1 user=john at EXAMPLE.COM ------------------------ I tried building dovecot 1.2.4 with Heimdal 0.6.3, 1.0.1 and 1.2.1 and all gave the same result. Is it possible that the data_has_nuls test doesn't work as intended or that it only works with MIT Kerberos? Thank you. -- John Marshall -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20090828/d118d9f4/attachment-0002.bin>
Timo Sirainen
2009-Aug-28 17:38 UTC
[Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 -> 1.2.4 Upgrade
On Fri, 2009-08-28 at 15:20 +1000, John Marshall wrote:> This morning I upgraded a dovecot installation from 1.1.16 to 1.2.4 on a > FreeBSD 7.2 server, and then spent 3 hours trying to figure out why > GSSAPI authentication had broken. > > It turned out to be a recent change in Dovecot's mech-gssapi.c to do > with checking for NULs in usernames: everything worked fine when I > disabled that test.What exactly is the username? What does it say with the attached patch? -------------- next part -------------- A non-text attachment was scrubbed... Name: diff Type: text/x-patch Size: 423 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20090828/5f25e03d/attachment-0004.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090828/5f25e03d/attachment-0005.bin>