Re: [Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 - 1.2.4 Upgrade
On Fri, 2009-08-28 at 15:20 +1000, John Marshall wrote:
This morning I upgraded a dovecot installation from 1.1.16 to 1.2.4 on a
FreeBSD 7.2 server, and then spent 3 hours trying to figure out why
GSSAPI authentication had broken.
It turned out to be a recent change in Dovecot's mech-gssapi.c to do
with checking for NULs in usernames: everything worked fine when I
disabled that test.
What exactly is the username? What does it say with the attached patch?
diff -r aaa1b2c25c14 src/auth/mech-gssapi.c
--- a/src/auth/mech-gssapi.c Fri Aug 28 12:57:03 2009 -0400
+++ b/src/auth/mech-gssapi.c Fri Aug 28 13:37:33 2009 -0400
@@ -516,7 +516,8 @@
if (data_has_nuls(name, name_len)) {
auth_request_log_info(auth_request, gssapi,
- authz_name has NULs);
+ authz_name has NULs: %s,
+ binary_to_hex(name, name_len));
return -1;
}
signature.asc
Description: This is a digitally signed message part
Re: [Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 - 1.2.4 Upgrade
On Fri, 28 Aug 2009, 13:38 -0400, Timo Sirainen wrote: On Fri, 2009-08-28 at 15:20 +1000, John Marshall wrote: This morning I upgraded a dovecot installation from 1.1.16 to 1.2.4 on a FreeBSD 7.2 server, and then spent 3 hours trying to figure out why GSSAPI authentication had broken. It turned out to be a recent change in Dovecot's mech-gssapi.c to do with checking for NULs in usernames: everything worked fine when I disabled that test. What exactly is the username? What does it say with the attached patch? Thank you. It looks like the test is picking up the string terminator. auth(default): gssapi(j...@mby.riverwillow.net.au,192.0.2.168): authz_name has NULs: 6a6f686e404d42592e524956455257494c4c4f572e4e45542e415500 -- John Marshall pgpfs0y0IVgOX.pgp Description: PGP signature
Re: [Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 - 1.2.4 Upgrade
On Sat, 2009-08-29 at 06:08 +1000, John Marshall wrote: It turned out to be a recent change in Dovecot's mech-gssapi.c to do with checking for NULs in usernames: everything worked fine when I disabled that test. What exactly is the username? What does it say with the attached patch? Thank you. It looks like the test is picking up the string terminator. OK, I guess this fixes it then? http://hg.dovecot.org/dovecot-1.2/rev/a37fa30b0072 signature.asc Description: This is a digitally signed message part
Re: [Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 - 1.2.4 Upgrade
On Fri, 28 Aug 2009, 16:51 -0400, Timo Sirainen wrote: On Sat, 2009-08-29 at 06:08 +1000, John Marshall wrote: It turned out to be a recent change in Dovecot's mech-gssapi.c to do with checking for NULs in usernames: everything worked fine when I disabled that test. What exactly is the username? What does it say with the attached patch? Thank you. It looks like the test is picking up the string terminator. OK, I guess this fixes it then? http://hg.dovecot.org/dovecot-1.2/rev/a37fa30b0072 Yes. Thank you! -- John Marshall pgpnBR5DBRCzL.pgp Description: PGP signature
[Dovecot] GSSAPI Authentication Broke with Dovecot 1.1.16 - 1.2.4 Upgrade
This morning I upgraded a dovecot installation from 1.1.16 to 1.2.4 on a FreeBSD 7.2 server, and then spent 3 hours trying to figure out why GSSAPI authentication had broken. It turned out to be a recent change in Dovecot's mech-gssapi.c to do with checking for NULs in usernames: everything worked fine when I disabled that test. http://hg.dovecot.org/dovecot-1.2/rev/5d53b1d66d1b This is what I was seeing in the log file with auth_debug enabled: auth(default): client in: AUTH 1 GSSAPI service=imapsecured lip=192.0.2.36rip=192.0.2.168 lport=143 rport=51168 auth(default): gssapi(?,192.0.2.168): Obtaining credentials for i...@mail1.example.com auth(default): client out: CONT1 auth(default): client in: CONThidden auth(default): gssapi(j...@example.com,192.0.2.168): security context state completed. auth(default): client out: CONT1 YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgREIuGJR3fqiMdvWjEg6utI7bt3fZuI8Ulk4LoFu59aMgnX+Kivdohxin2A71UCEC7oG0sVYe7vrTjg2N9s27D1BLRuJbQ= auth(default): client in: CONThidden auth(default): gssapi(j...@example.com,192.0.2.168): Negotiated security layer auth(default): client out: CONT1 YD8GCSqGSIb3EgECAgIBBAD/MINNkeu5LVS8fiZNSnb8j8iKBuHArr/sHec++VYV+9SSc+RkAf///wQEBAQ= auth(default): client in: CONThidden auth(default): gssapi(j...@example.com,192.0.2.168): authz_name has NULs auth(default): client out: FAIL1 user=j...@example.com imap-login: Disconnected (auth failed, 1 attempts): user=j...@example.com, method=GSSAPI, rip=192.0.2.168, lip=192.0.2.36, TLS: Disconnected I commented out the 'return -1;' at the end of the if(data_has_nuls) block (to preserve the log message but fall through), rebuilt, and everything works again. auth(default): gssapi(j...@example.com,192.0.2.168): authz_name has NULs auth(default): client out: OK 1 user=j...@example.com I tried building dovecot 1.2.4 with Heimdal 0.6.3, 1.0.1 and 1.2.1 and all gave the same result. Is it possible that the data_has_nuls test doesn't work as intended or that it only works with MIT Kerberos? Thank you. -- John Marshall pgpnybzMOS2JQ.pgp Description: PGP signature
