Advanced configuration:
-Specifying --with-kerberos=DIR will tell the fetchmail build process to
-look in DIR for Kerberos support. Configure normally looks in /usr/kerberos
-and /usr/athena; if you specify this option with an argument it will look
-in DIR first.
+Specifying --with-kerberos=DIR or --with-kerberos5=DIR will tell the
+fetchmail build process to look in DIR for Kerberos support.
+Configure normally looks in /usr/kerberos and /usr/athena; if you
+specify this option with an argument it will look in DIR first.
Unfortunately, there doesn't seem to be good standardization of where
Kerberos lives. If your configuration doesn't match one of the four
* Make the antispam response configurable.
* Handle multi-homed hosts correctly.
- Other TO-DO items:
-
-* Get with Craig Metz to write a draft RFC on RFC1938 support in IMAP.
-
Release Notes:
------------------------------------------------------------------------------
* Relax the LOGIN capability check in IMAP.
* John Stracke <francis@netscape.com> sent a workaround for SIGALRM flakiness
under Red Hat 5.0.
+* Kerberos V support from Jon Dugan <jdugan@ncsa.uiuc.edu> and
+ Von Welch <vwelch@ncsa.uiuc.edu>.
There are 269 people on fetchmail-friends and 144 on fetchmail-announce.
done
fi
+### use option --with-kerberos5=DIR to point at a Kerberos 5 directory
+AC_ARG_WITH(kerberos5,
+ [ --with-kerberos5=DIR point fetchmail compilation at a Kerberos 5 directory])
+
+# The "then" arm (nonempty $with_kerberos5) is kind of a crock. It works for
+# configuring the BSD/OS Kerberos IV support, though.
+if test "$with_kerberos5" != "yes"
+then
+ # Path given
+ CEFLAGS="$CEFLAGS -DKERBEROS_V5 -I$with_kerberos5/include"
+ LDEFLAGS="$LDEFLAGS -L$with_kerberos5/lib"
+ LIBS="$LIBS -lkrb5 -lcrypto -lcom_err"
+else
+ for dir in /usr/kerberos /usr/local/krb5 /usr/athena
+ do
+ if test -f "$dir/include/krb5.h"
+ then
+ CEFLAGS="$CEFLAGS -DKERBEROS_V5 -I$dir/include"
+ LDEFLAGS="$LDEFLAGS -L$dir/lib"
+ LIBS="$LIBS -lkrb5 -lcrypto -lcom_err"
+ break
+ fi
+ done
+fi
+
AC_OUTPUT(Makefile, [
# The reason for this odd makedepend line is that we want
# to have all dependencies evaluated relative to the source directory
#include <netinet/in.h>
#include <netdb.h>
#endif /* KERBEROS_V4 */
+#ifdef KERBEROS_V5
+#include <krb5.h>
+#include <com_err.h>
+#endif /* KEREROS_V5 */
+
#include "fetchmail.h"
#include "socket.h"
#include "smtp.h"
}
#endif /* KERBEROS_V4 */
+#ifdef KERBEROS_V5
+int
+kerberos5_auth(socket, canonical)
+/* authernticate to the server host using Kerberos V5 */
+int socket; /* socket to server host */
+const char *canonical; /* server name */
+{
+ krb5_error_code retval;
+ krb5_context context;
+ krb5_ccache ccdef;
+ krb5_principal client = NULL, server = NULL;
+ krb5_error *err_ret = NULL;
+
+ krb5_auth_context auth_context = NULL;
+
+ krb5_init_context(&context);
+ krb5_init_ets(context);
+ krb5_auth_con_init(context, &auth_context);
+
+ if (retval = krb5_cc_default(context, &ccdef)) {
+ error(0, 0, "krb5_cc_default: %s", error_message(retval));
+ return(PS_ERROR);
+ }
+
+ if (retval = krb5_cc_get_principal(context, ccdef, &client)) {
+ error(0, 0, "krb5_cc_get_principal: %s", error_message(retval));
+ return(PS_ERROR);
+ }
+
+ if (retval = krb5_sname_to_principal(context, canonical, "pop",
+ KRB5_NT_UNKNOWN,
+ &server)) {
+ error(0, 0, "krb5_sname_to_principal: %s", error_message(retval));
+ return(PS_ERROR);
+ }
+
+ retval = krb5_sendauth(context, &auth_context, (krb5_pointer) &socket,
+ "KPOPV1.0", client, server,
+ AP_OPTS_MUTUAL_REQUIRED,
+ NULL, /* no data to checksum */
+ 0, /* no creds, use ccache instead */
+ ccdef,
+ &err_ret, 0,
+
+ NULL); /* don't need reply */
+
+ krb5_free_principal(context, server);
+ krb5_free_principal(context, client);
+ krb5_auth_con_free(context, auth_context);
+
+ if (retval) {
+ if (err_ret && err_ret->text.length) {
+ error(0, 0, "krb5_sendauth: %s [server says '%*s'] ",
+ error_message(retval),
+ err_ret->text.length,
+ err_ret->text.data);
+ krb5_free_error(context, err_ret);
+ } else
+ error(0, 0, "krb5_sendauth: %s", error_message(retval));
+ return(PS_ERROR);
+ }
+
+ return 0;
+}
+#endif /* KERBEROS_V5 */
+
int do_protocol(ctl, proto)
/* retrieve messages from server using given protocol method table */
struct query *ctl; /* parsed options with merged-in defaults */
}
#endif /* KERBEROS_V4 */
+#ifndef KERBEROS_V5
+ if (ctl->server.preauthenticate == A_KERBEROS_V5)
+ {
+ error(0, -1, "Kerberos V5 support not linked.");
+ return(PS_ERROR);
+ }
+#endif /* KERBEROS_V5 */
+
/* lacking methods, there are some options that may fail */
if (!proto->is_old)
{
}
#endif /* KERBEROS_V4 */
+#ifdef KERBEROS_V5
+ if (ctl->server.preauthenticate == A_KERBEROS_V5)
+ {
+ ok = kerberos5_auth(sock, ctl->server.truename);
+ if (ok != 0)
+ goto cleanUp;
+ set_timeout(ctl->server.timeout);
+ }
+#endif /* KERBEROS_V5 */
+
/* accept greeting message from mail server */
ok = (protocol->parse_response)(sock, buf);
if (ok != 0)
<table width="100%" cellpadding=0><tr>
<td width="30%">Back to <a href="index.html">Fetchmail Home Page</a>
<td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a>
-<td width="30%" align=right>$Date: 1998/02/24 20:55:14 $
+<td width="30%" align=right>$Date: 1998/03/03 21:22:31 $
</table>
<HR>
<H2>Since 4.0:</H2>
<UL>
+<LI> Support for Kerberos V authentication.
+
<LI> Support for IMAP-OTP authentication using Craig Metz's patches
for UW IMAP.
<table width="100%" cellpadding=0><tr>
<td width="30%">Back to <a href="index.html">Fetchmail Home Page</a>
<td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a>
-<td width="30%" align=right>$Date: 1998/02/24 20:55:14 $
+<td width="30%" align=right>$Date: 1998/03/03 21:22:31 $
</table>
<P><ADDRESS>Eric S. Raymond <A HREF="mailto:esr@thyrsus.com"><esr@snark.thyrsus.com></A></ADDRESS>
for (ctl = querylist; ctl; ctl = ctl->next)
if (ctl->active && !(implicitmode && ctl->server.skip)&&!ctl->password)
{
- if (ctl->server.preauthenticate == A_KERBEROS_V4 || ctl->server.protocol == P_IMAP_K4 || ctl->server.protocol == P_IMAP_GSS)
+ if (ctl->server.preauthenticate == A_KERBEROS_V4 ||
+ ctl->server.preauthenticate == A_KERBEROS_V5 ||
+ ctl->server.protocol == P_IMAP_K4 ||
+ ctl->server.protocol == P_IMAP_GSS)
/* Server won't care what the password is, but there
must be some non-null string here. */
ctl->password = ctl->remotename;
* nameserver is still up. The multidrop case
* (especially) needs it.
*/
- if (ctl->server.preauthenticate==A_KERBEROS_V4 || MULTIDROP(ctl))
+ if (ctl->server.preauthenticate==A_KERBEROS_V4 ||
+ ctl->server.preauthenticate==A_KERBEROS_V5 ||
+ MULTIDROP(ctl))
{
struct hostent *namerec;
#else /* INET6 */
&& ctl->server.port == KPOP_PORT
#endif /* INET6 */
- && ctl->server.preauthenticate == A_KERBEROS_V4)
+ && (ctl->server.preauthenticate == A_KERBEROS_V4 ||
+ ctl->server.preauthenticate == A_KERBEROS_V5))
printf(" Protocol is KPOP");
else
printf(" Protocol is %s", showproto(ctl->server.protocol));
putchar('\n');
if (ctl->server.preauthenticate == A_KERBEROS_V4)
printf(" Kerberos V4 preauthentication enabled.\n");
+ if (ctl->server.preauthenticate == A_KERBEROS_V5)
+ printf(" Kerberos V5 preauthentication enabled.\n");
if (ctl->server.timeout > 0)
printf(" Server nonresponse timeout is %d seconds", ctl->server.timeout);
if (ctl->server.timeout == CLIENT_TIMEOUT)
/* preauthentication types */
#define A_PASSWORD 0 /* password or inline authentication */
#define A_KERBEROS_V4 1 /* preauthenticate w/ Kerberos V4 */
+#define A_KERBEROS_V5 2 /* preauthenticate w/ Kerberos V5 */
/*
* Definitions for buffer sizes. We get little help on setting maxima
skipped. This option is currently only supported under Linux.
.TP
.B \-A, --auth
-(Keyword: auth[enticate])
+(Keyword: auth[enticate])
This option permits you to specify a preauthentication type (see USER
AUTHENTICATION below for details). The possible values are
-\&`\fBpassword\fR' and `\fBkerberos\fR' (or, for excruciating
-exactness, `\fBkerberos_v4\fR'). This option is provided
+\&`\fBpassword\fR', `\fBkerberos_v5\fR' and `\fBkerberos\fR' (or, for
+excruciating exactness, `\fBkerberos_v4\fR'). This option is provided
primarily for developers; choosing KPOP protocol automatically selects
-Kerberos preauthentication, and all other alternatives use
-password authentication (though APOP uses a generated one-time
-key as the password and IMAP-K4 uses RFC1731 Kerberos v4 authentication).
-This option does not work with ETRN.
+Kerberos preauthentication, and all other alternatives use password
+authentication (though APOP uses a generated one-time key as the
+password and IMAP-K4 uses RFC1731 Kerberos v4 authentication). This
+option does not work with ETRN.
.SS Miscellaneous Options
.TP
.B \-f pathname, --fetchmailrc pathname
#else /* INET6 */
ctl->server.port = KPOP_PORT;
#endif /* INET6 */
+#ifdef KERBEROS_V5
+ ctl->server.preauthenticate = A_KERBEROS_V5;
+#else
ctl->server.preauthenticate = A_KERBEROS_V4;
+#endif /* KERBEROS_V5 */
}
else if (strcasecmp(optarg,"imap") == 0)
ctl->server.protocol = P_IMAP;
if (strcmp(optarg, "password") == 0)
ctl->server.preauthenticate = A_PASSWORD;
else if (strcmp(optarg, "kerberos") == 0)
+#ifdef KERBEROS_V5
+ ctl->server.preauthenticate = A_KERBEROS_V5;
+ else if (strcmp(optarg, "kerberos_v5") == 0)
+ ctl->server.preauthenticate = A_KERBEROS_V5;
+#else
ctl->server.preauthenticate = A_KERBEROS_V4;
else if (strcmp(optarg, "kerberos_v4") == 0)
ctl->server.preauthenticate = A_KERBEROS_V4;
+#endif /* KERBEROS_V5 */
else {
fprintf(stderr,"Invalid preauthentication `%s' specified.\n", optarg);
errflag++;
interval { return INTERVAL; }
auth(enticate)? { return AUTHENTICATE; }
kerberos_v4 { return KERBEROS4; }
-kerberos { return KERBEROS4; }
+kerberos { return KERBEROS; }
+kerberos_v5 { return KERBEROS5; }
timeout { return TIMEOUT;}
envelope { return ENVELOPE; }
qvirtual { return QVIRTUAL; }
}
%token DEFAULTS POLL SKIP VIA AKA LOCALDOMAINS PROTOCOL
-%token AUTHENTICATE TIMEOUT KPOP KERBEROS4
+%token AUTHENTICATE TIMEOUT KPOP KERBEROS4 KERBEROS5 KERBEROS
%token ENVELOPE QVIRTUAL USERNAME PASSWORD FOLDER SMTPHOST MDA SMTPADDRESS
%token PRECONNECT POSTCONNECT LIMIT
%token IS HERE THERE TO MAP WILDCARD
| PROTOCOL PROTO {current.server.protocol = $2;}
| PROTOCOL KPOP {
current.server.protocol = P_POP3;
+#ifdef KERBEROS_V5
+ current.server.preauthenticate = A_KERBEROS_V5;
+#else
current.server.preauthenticate = A_KERBEROS_V4;
+#endif /* KERBEROS_V5 */
#if INET6
current.server.service = KPOP_PORT;
#else /* INET6 */
| INTERVAL NUMBER {current.server.interval = $2;}
| AUTHENTICATE PASSWORD {current.server.preauthenticate = A_PASSWORD;}
| AUTHENTICATE KERBEROS4 {current.server.preauthenticate = A_KERBEROS_V4;}
+ | AUTHENTICATE KERBEROS5 {current.server.preauthenticate = A_KERBEROS_V5;}
+ | AUTHENTICATE KERBEROS {
+#ifdef KERBEROS_V5
+ current.server.preauthenticate = A_KERBEROS_V5;
+#else
+ current.server.preauthenticate = A_KERBEROS_V4;
+#endif /* KERBEROS_V5 */
+ }
| TIMEOUT NUMBER {current.server.timeout = $2;}
| ENVELOPE NUMBER STRING
# Legal authentication types are
# login
# kerberos
+# kerberos_v5
#
# Legal global option statements are
#