Package: offlineimap Version: 5.99.4 Followup-For: Bug #359213 Tags: Patch Hi, the attached patch adds gssapi support using pykerberos. Pykerberos itself needs two patches: http://trac.calendarserver.org/projects/calendarserver/ticket/213 http://trac.calendarserver.org/projects/calendarserver/ticket/214 I've put the combined pykerberos patch here: https://honk.sigxcpu.org/unsorted-patches/offlineimap-support-GSSAPI-via-pykerberos.diff pykerberos itself is Apache 2 licensed. I can upload a patched version of it to experimental until upstream added the patches in case you consider applying the offlineimap patch. Cheers, -- Guido
>From 805a936c87d84cc99fff6867323b02b96ed16b4e Mon Sep 17 00:00:00 2001 From: Guido Guenther <[EMAIL PROTECTED]> Date: Mon, 14 Jan 2008 22:27:16 +0100 Subject: [PATCH] support GSSAPI via pykerberos --- offlineimap/imapserver.py | 59 +++++++++++++++++++++++++++++++++++++++----- 1 files changed, 52 insertions(+), 7 deletions(-) diff --git a/offlineimap/imapserver.py b/offlineimap/imapserver.py index b96a404..2d5d5e6 100644 --- a/offlineimap/imapserver.py +++ b/offlineimap/imapserver.py @@ -21,7 +21,16 @@ from offlineimap import imaplibutil, imaputil, threadutil from offlineimap.ui import UIBase from threading import * import thread, hmac, os +import base64 +try: + # do we have a recent pykerberos? + have_gss = False + import kerberos + if 'authGSSClientWrap' in dir(kerberos): + have_gss = True +except ImportError: + pass class UsefulIMAPMixIn: def getstate(self): @@ -58,6 +67,8 @@ class UsefulIMAP4_SSL(UsefulIMAPMixIn, imaplib.IMAP4_SSL): class UsefulIMAP4_Tunnel(UsefulIMAPMixIn, imaplibutil.IMAP4_Tunnel): pass class IMAPServer: + GSS_STATE_STEP = 0 + GSS_STATE_WRAP = 1 def __init__(self, config, reposname, username = None, password = None, hostname = None, port = None, ssl = 1, maxconnections = 1, tunnel = None, @@ -86,6 +97,9 @@ class IMAPServer: self.semaphore = BoundedSemaphore(self.maxconnections) self.connectionlock = Lock() self.reference = reference + self.gss_step = 0 + self.gss_vc = None + self.gssapi = False def getpassword(self): if self.goodpassword != None: @@ -134,7 +148,24 @@ class IMAPServer: UIBase.getglobalui().debug('imap', 'Attempting plain authentication') imapobj.login(self.username, self.getpassword()) - + + def gssauth(self, response): + data = base64.b64encode(response) + if self.gss_step == self.GSS_STATE_STEP: + if not self.gss_vc: + rc, self.gss_vc = kerberos.authGSSClientInit("imap@" + self.hostname) + response = kerberos.authGSSClientResponse(self.gss_vc) + rc = kerberos.authGSSClientStep(self.gss_vc, data) + if rc != kerberos.AUTH_GSS_CONTINUE: + self.gss_step = self.GSS_STATE_WRAP + elif self.gss_step == self.GSS_STATE_WRAP: + rc = kerberos.authGSSClientUnwrap(self.gss_vc, data) + response = kerberos.authGSSClientResponse(self.gss_vc) + rc = kerberos.authGSSClientWrap(self.gss_vc, response, self.username) + response = kerberos.authGSSClientResponse(self.gss_vc) + if not response: + response = "" + return base64.b64decode(response) def acquireconnection(self): """Fetches a connection from the pool, making sure to create a new one @@ -186,15 +217,29 @@ class IMAPServer: if not self.tunnel: try: - if 'AUTH=CRAM-MD5' in imapobj.capabilities: + # Try GSSAPI and continue if it fails + if 'AUTH=GSSAPI' in imapobj.capabilities and have_gss: UIBase.getglobalui().debug('imap', - 'Attempting CRAM-MD5 authentication') + 'Attempting GSSAPI authentication') try: - imapobj.authenticate('CRAM-MD5', self.md5handler) - except imapobj.error, val: + imapobj.authenticate('GSSAPI', self.gssauth) + except kerberos.GSSError, err: + UIBase.getglobalui().debug('imap', + '%s: %s' % (err[0][0], err[1][0])) + else: + self.gssapi = True + self.password = None + + if not self.gssapi: + if 'AUTH=CRAM-MD5' in imapobj.capabilities: + UIBase.getglobalui().debug('imap', + 'Attempting CRAM-MD5 authentication') + try: + imapobj.authenticate('CRAM-MD5', self.md5handler) + except imapobj.error, val: + self.plainauth(imapobj) + else: self.plainauth(imapobj) - else: - self.plainauth(imapobj) # Would bail by here if there was a failure. success = 1 self.goodpassword = self.password -- 1.5.3.7