gssapi considered as PLAIN?

Harry Schmalzbauer dovecot at omnilan.de
Wed Nov 5 17:04:47 UTC 2014 

 Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:15 (localtime):
> On Wed, 2014-11-05 at 17:04 +0100, Harry Schmalzbauer wrote:
>>  Bezüglich Jan Behrend's Nachricht vom 05.11.2014 17:01 (localtime):
>>> On Wed, 2014-11-05 at 16:52 +0100, Harry Schmalzbauer wrote:
>>>>  Bezüglich Hans Morten Kind's Nachricht vom 05.11.2014 16:48 (localtime):
>>>>> On Wed, Nov 05, 2014 at 04:22:12PM +0100, Harry Schmalzbauer wrote:
>>>>>> as soon as I set "disable_plaintext_auth = yes", AUTH=GSSAPI vanishes
>>>>>> from capabilities.
>>>>> Try setting login_trusted_networks to something you trust.
>>> root at mailbox1:/etc/dovecot/conf.d# doveconf auth_mechanisms
>>> auth_mechanisms = plain login gssapi
>>> root at mailbox1:/etc/dovecot/conf.d# doveconf disable_plaintext_auth
>>> disable_plaintext_auth = yes
>>> root at mailbox1:/etc/dovecot/conf.d# doveconf login_trusted_networks
>>> login_trusted_networks = 
>>>
>>>
>>> a CAPABILITY
>>> * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
>>> AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI
>> You don't see LOGINDISABLED, so I guess rip==lip (you tested
>> @localhost), right?
> No, but I didn't show all of it ;-).  Here it is:
>
> jbehrend at jb1:~$ gnutls-cli --starttls
> --x509cafile /etc/ssl/certs/Max-Planck-Gesellschaft.pem -p 143
> imap.mpifr-bonn.mpg.de
> Processed 1 CA certificate(s).
> Resolving 'imap.mpifr-bonn.mpg.de'...
> Connecting to '134.104.18.77:143'...
>
> - Simple Client Mode:
>
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> IDLE STARTTLS LOGINDISABLED] Dovecot ready.
> a starttls
> a OK Begin TLS negotiation now.
> *** Starting TLS handshake
> - Ephemeral Diffie-Hellman parameters
>  - Using prime: 1024 bits
>  - Secret key: 1023 bits
>  - Peer's public key: 1023 bits
> - Certificate type: X.509
>  - Got a certificate list of 1 certificates.
>  - Certificate[0] info:
>   - subject
> `C=DE,ST=Nordrhein-Westfalen,L=Bonn,O=Max-Planck-Gesellschaft,OU=Max-Planck-Institut fuer Radioastronomie,CN=imap.mpifr-bonn.mpg.de', issuer `C=DE,O=Max-Planck-Gesellschaft,CN=MPG CA,EMAIL=mpg-ca at mpg.de', RSA key 4096 bits, signed using RSA-SHA1, activated `2014-05-06 11:17:21 UTC', expires `2019-05-05 11:17:21 UTC', SHA-1 fingerprint `c0b4fb497ac212f0e05de24f2c097a0b712435cc'
> - The hostname in the certificate matches 'imap.mpifr-bonn.mpg.de'.
> - Peer's certificate is trusted
> - Version: TLS1.2
> - Key Exchange: DHE-RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> a CAPABILITY
> * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
> AUTH=PLAIN AUTH=LOGIN AUTH=GSSAPI
> a OK Pre-login capabilities listed, post-login capabilities have more.

Sorry, I might have been unclear.
Of course, AUTH=GSSAPI is offered if connection passes STARTTLS, along
WITH PLAIN (and LOGIN), but the intention of "disable_plaintext_auth" is
to prevent PLAIN if _no_ encryption level was negotiated.
So you see LOGINDISABLED before TLS session and also _no_ GSSAPI!
At that point (no encryption negotiated) I want to be able to get my
kerberos ticket validated :-)

disable_plaintext_auth = yes works as expected for PLAIN (and LOGIN); it
doesn't offer until encryption successfully took place.
But I don't expect GSSAPI also beeing disabled (regardless if encryption
is available or not).
I have no idea why this could be the intended behaviour, and hope
somebody can enlighten me :-)

Thanks,

-Harry

More information about the dovecot mailing list