Hello Ivan! That is good news!!
Ivan Vučica wrote in <CAGPLYoRQ=LXPMFUxaEEJ882tqFXHOb3sWh2Wb_aJ-636faeT\ h...@mail.gmail.com>: |On Thu, Jun 20, 2019 at 12:55 AM Steffen Nurpmeso <stef...@sdaoden.eu> \ |wrote: |> Steffen Nurpmeso wrote in <20190619234414.zvcpd%stef...@sdaoden.eu>: |> ... |>|Dear Ivan. If you are willing to test once again, at [1] there is |>|a complete ball, but you could also simply apply the attached |>|patch instead, which is very much smaller. |>| |>|I am sorry for the inconvenience, and i hope this fixes GSSAPI. |> ... |> |> the patch was reversed; here is the right one. | |You did not quote "the right one", but the master branch seems to use |6b070335 from the previous email, so I used that. | |If you mean the attachment, AFAICT it matches 6b070335 so that was |already included. :-) Aeh, ok. :--) |>|No, this is actually success. I kdestroyed the ticket cache |>|beforehand, and kinited. |> |> And isn't that cooler than OAUTH? And no advertising, neither |> yesterday nor today and very likely also tomorrow not. | |It all comes down to scalability and scoping of non-password |authentication on larger systems. OAuth2 is simpler than Kerberos, and |doesn't (as generally implemented) depend on a secret being provided |to obtain a TGT. |But it's not why I brought it up earlier; XOAUTH2 (and other mechanism |names used to represent this authentication method using a bearer |token obtained through out-of-channel means, which can be a browser, I really dislike being a "lesser secure app". My passwords are stored on an encrypted volume (if i would be truly professional i would have some encrypted key stick instead), which is normally not even mounted. They actually exist in a file in netrc syntax which is encrypted via PGP, and only decrypted on-the-fly. Why is this less trustable than some storage system at Google? It crosses the wire, maybe. But that uses the same encryption method that i would have to use when creating the OAuth originally. That is once, maybe. So then why not being able to use an account master and a secondary per-service key regulary? My thought is just that with Kerberos i can have a local ticket that is initialized once, via a local password. Any further communication is then based upon this temporary ticket. They may call it bearer token instead. But my real critic lies about twenty years in the past, once Germany got a new passport. I have never understood why they did not ship a PGP and a SSL key/certificate with a usage notice, also for the most common applications alongside that. And a rather cheap chip reader which could optionally have been bought bundled. They should have placed a chip directly on it maybe even. I mean, what am i without my passport, on a border, in a foreign country, in a police control? The FreeBSD developers recommended RSA 4096 already by then, which should still be worth a decade or even longer, as i understand things. I dedicated all my being to my people/country naturally, just by being born like that, and if i can be selective upon that, i'd rather not give mobile phone identity or whatever to large companies if possible. That much is plain. I am pretty much anti-capitalistic in that sense. But it is not that i really care, all that can't be helped and has been addressed in literature and films for more than half a century. The pain comes when it hits you personally, and i do not see why i am treated as a lesser secure app. |but don't have to be) is just one of many SASL mechanisms you'd get |for free. Yes, SASL is on the TODO list for a long time, at least as an option. I really hope for end of 2020 for v15. This could then be some kind of (optional) filter on a socket level maybe, if i recall correctly, usable by all protocols we understand by then, and any others later on. I mean it could of course be (rather) hacked in already today, it would likely not take a week, maybe even not more than two or three days, i have forgotten (i added the TODO five years and a month ago ;-) |> I should have warned you that the password and credentials will be |> included in the debug output. | |No, it's to be expected if it's obvious that there's raw IMAP protocol |being logged. That's why I took care and removed what looked like |credentials. (Thankfully, I'm familiar enough with IMAP anyway.) Good. We also say "user .. pass", but i did it so that one can debug whether it is the right one, say. You can always create a temporary tty/terminal and/or slock when you are away. Whatever. |> ..../6b070335d77251308e1910f9efb2e08754a1f176 | |Thank you, this has fixed it. That is really good news! I happily skip setting up a GSSAPI test bed next week then, it is midsummer!! Thank you, Ivan. |I was seeing this, though: | |``` |s-nail: s-nail version v14.9.13. Type `?' for help |+[imap://ivuc...@myhostname.ds.mydomain.net/]INBOX: 3 messages |▸O 1 xxxxxx 2019-01-29 03:15 /40755 aaaaaaaa | O 2 xxxxxxx 2019-02-01 09:58 /31642 aaaaaaaaa | O 3 xxxxxxx. 2019-01-28 15:34 /24693 aaaaaaa |There are new messages in the error message ring (denoted by ERROR) | It can be managed with the `errors' command |ERROR# ? errors | 1. |? errors |The error ring is empty |? q |Held 3 messages in +[imap://ivuc...@myhostname.ds.mydomain.net/]INBOX |``` | |I'm not sure how to use the 'errors' command or where this error came |from. In the meantime I cleaned the inbox, so I am no longer seeing |this error and probably can't easily reproduce it. That was the right way, but an empty message i maybe have never seen. Hm. Well. The ring is cleared once you dump it, it is just a parachute so that error messages do not get lost, that they can be seen at least once, which is a problem for this console application which happily scrolls anything out of view.. |Either way, the original bug is now gone from upstream, so if |experimental were updated to 6b070335d77251308e1910f9efb2e08754a1f176 |or later, that would solve debian bug #930691. Great. I will release a v14.9.14 bugfix by the end of the next week. I have to setup some VMs again (and new, too, new OpenBSD, NetBSD, DragonFly BSD came up in the last month) and do a test series first, dependent upon how long that takes maybe i can even create a GSSAPI testbed for the first time in over four years. (On the other hand it will be summer... thanks for your confirmation again, Ivan!) --End of <CAGPLYoRQ=LXPMFUxaEEJ882tqFXHOb3sWh2Wb_aJ-636faeThg@mail.gmail\ .com> Ciao, Ivan! --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
