Bug#448499: cyrus-clients-2.3: imtest fails with Dovecot/GSSAPI: invalid response length
Package: cyrus-clients-2.3 Version: 2.2 Followup-For: Bug #448499 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I can confirm this bug also exists in cyrus-clients-2.2 (current stable). Running imtest with -a also fails. Both client and server are running Debian etch. client: [EMAIL PROTECTED] ~]$ imtest -s -m GSSAPI the-tech.mit.eduverify error:num=20:unable to get local issuer certificate verify error:num=27:certificate not trusted verify error:num=21:unable to verify the first certificate TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) S: * OK [CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready. C: C01 CAPABILITY S: * CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS AUTH=PLAIN AUTH=GSSAPI S: C01 OK Capability completed. C: A01 AUTHENTICATE GSSAPI [data redacted] S: + [data redacted] C: S: + [data redacted] C: [data redacted] S: A01 NO Authentication failed. Authentication failed. generic failure Security strength factor: 256 C: Q01 LOGOUT Connection closed. [EMAIL PROTECTED] ~]$ imtest -s -m GSSAPI -a rram the-tech.mit.edu verify error:num=20:unable to get local issuer certificate verify error:num=27:certificate not trusted verify error:num=21:unable to verify the first certificate TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) S: * OK [CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready. C: C01 CAPABILITY S: * CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS AUTH=PLAIN AUTH=GSSAPI S: C01 OK Capability completed. C: A01 AUTHENTICATE GSSAPI [data redacted] S: + [data redacted] C: S: + [data redacted] C: [data redacted] S: A01 NO Authentication failed. Authentication failed. generic failure Security strength factor: 256 C: Q01 LOGOUT Connection closed. [EMAIL PROTECTED] ~]$ imtest -s -m GSSAPI -u rram the-tech.mit.edu verify error:num=20:unable to get local issuer certificate verify error:num=27:certificate not trusted verify error:num=21:unable to verify the first certificate TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) S: * OK [CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS AUTH=PLAIN AUTH=GSSAPI] Dovecot ready. C: C01 CAPABILITY S: * CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS AUTH=PLAIN AUTH=GSSAPI S: C01 OK Capability completed. C: A01 AUTHENTICATE GSSAPI [data redacted] S: + [data redacted] C: S: + [data redacted] C: [data redacted] S: A01 OK Logged in. Authenticated. Security strength factor: 256 C: Q01 LOGOUT Connection closed. server: May 15 01:04:22 the-tech dovecot: auth(default): gssapi(?,18.181.0.51): Invalid response length May 15 01:04:27 the-tech dovecot: imap-login: Aborted login: method=GSSAPI, rip=18.181.0.51, lip=18.187.1.155, TLS May 15 01:04:34 the-tech dovecot: auth(default): gssapi(?,18.181.0.51): Invalid response length May 15 01:04:36 the-tech dovecot: imap-login: Aborted login: method=GSSAPI, rip=18.181.0.51, lip=18.187.1.155, TLS May 15 01:04:41 the-tech dovecot: imap-login: Login: user=, method=GSSAPI, rip=18.181.0.51, lip=18.187.1.155, TLS May 15 01:04:43 the-tech dovecot: IMAP(rram): Disconnected: Logged out - -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIK8b3HvL19f6xTLsRAlKvAJ9m62D2M9YPp2zMUYhjdcGrdkNbyQCeMHYh 5Ncnj+AxJSMvarSesak5NeY= =yXJa -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#448499: cyrus-clients-2.3: imtest fails with Dovecot/GSSAPI: invalid response length
severity 448499 minor thanks Brian: This is definitely interesting. It's very difficult to tell what's going on since the relevant part (what's different) was blacked out. I'd be interested in what happens if you try -a instead of -u. Since imtest works fine with -u, and the default is just a matter of convenience and the failure is trivial to work around, I'm going to drop the severity of this bug to minor. I don't have much time at the moment to debug it, but I'll definitely leave the bug open. Benjamin brian m. carlson wrote: > Package: cyrus-clients-2.3 > Version: 2.3.8-1 > Severity: normal > File: /usr/bin/imtest > > imtest fails to authenticate against Dovecot using GSSAPI, unless I > use the -u option. > > mutt and evolution work fine, both using STARTTLS and GSSAPI. Whether > I use STARTTLS (-t "") has no bearing on whether or not imtest works. > Note that authentication *does* work if I use -u bmc to specify the > authorization user ID, but it shouldn't require that, since I'm logged > into the client machine as bmc. > > Client side: > lakeview no % imtest -m GSSAPI castro > S: * OK Dovecot ready. > C: C01 CAPABILITY > S: * CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND > UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS STARTTLS > LOGINDISABLED AUTH=GSSAPI > S: C01 OK Capability completed. > C: A01 AUTHENTICATE GSSAPI ... > S: + ... > C: S: + ... > C: ... > S: A01 NO Authentication failed. > Authentication failed. generic failure > Security strength factor: 0 > * LOGOUT > * BYE Logging out > * OK Logout completed. > Connection closed. > > lakeview ok % imtest -m GSSAPI -u bmc castro S: * OK > Dovecot ready. > C: C01 CAPABILITY > S: * CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND > UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS STARTTLS > LOGINDISABLED AUTH=GSSAPI > S: C01 OK Capability completed. > C: A01 AUTHENTICATE GSSAPI ... > S: + ... > C: S: + ... > C: ... > S: A01 OK Logged in. > Authenticated. > Security strength factor: 0 > * LOGOUT > * BYE Logging out > * OK Logout completed. > Connection closed. > > lakeview ok % whoami > bmc > > > Server side: > Oct 29 09:31:28 castro dovecot: auth(default): > gssapi(?,:::172.16.2.249): Invalid response length > Oct 29 09:31:35 castro dovecot: imap-login: Aborted login: > method=GSSAPI, rip=:::172.16.2.249, lip=:::98.197.197.167, TLS > Oct 29 10:14:21 castro dovecot: imap-login: Login: user=, > method=GSSAPI, rip=:::172.16.2.249, lip=:::98.197.197.167 > Oct 29 10:14:24 castro dovecot: IMAP(bmc): Disconnected: Logged out > > Actual data is omitted and replaced with "...", because I'm not sure > whether any sensitive information is passed. If no sensitive > information is passed, or that information can be readily destroyed > (say, with kdestroy and kinit), then I'm happy to provide a full > transcript. If a DD really needs a test account, I'm happy to provide > one of those, too; simply send me an email with your preferred username. > > -- System Information: > Debian Release: lenny/sid > APT prefers unstable > APT policy: (500, 'unstable'), (1, 'experimental') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.23-1-amd64 (SMP w/2 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > (ignored: LC_ALL set to en_US.UTF-8) > Shell: /bin/sh linked to /bin/bash > > Versions of packages cyrus-clients-2.3 depends on: > ii libc62.6.1-6 GNU C Library: Shared > libraries > ii libdb4.4 4.4.20-11 Berkeley v4.4 Database > Libraries [ > ii libsasl2-2 2.1.22.dfsg1-16 Cyrus SASL - > authentication abstra > ii libssl0.9.8 0.9.8g-1SSL shared libraries > > cyrus-clients-2.3 recommends no packages. > > -- no debconf information > > > > ___ > Pkg-Cyrus-imapd-Debian-devel mailing list > [EMAIL PROTECTED] > http://lists.alioth.debian.org/mailman/listinfo/pkg-cyrus-imapd-debian-devel signature.asc Description: OpenPGP digital signature
Bug#448499: cyrus-clients-2.3: imtest fails with Dovecot/GSSAPI: invalid response length
Package: cyrus-clients-2.3 Version: 2.3.8-1 Severity: normal File: /usr/bin/imtest imtest fails to authenticate against Dovecot using GSSAPI, unless I use the -u option. mutt and evolution work fine, both using STARTTLS and GSSAPI. Whether I use STARTTLS (-t "") has no bearing on whether or not imtest works. Note that authentication *does* work if I use -u bmc to specify the authorization user ID, but it shouldn't require that, since I'm logged into the client machine as bmc. Client side: lakeview no % imtest -m GSSAPI castro S: * OK Dovecot ready. C: C01 CAPABILITY S: * CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=GSSAPI S: C01 OK Capability completed. C: A01 AUTHENTICATE GSSAPI ... S: + ... C: S: + ... C: ... S: A01 NO Authentication failed. Authentication failed. generic failure Security strength factor: 0 * LOGOUT * BYE Logging out * OK Logout completed. Connection closed. lakeview ok % imtest -m GSSAPI -u bmc castro S: * OK Dovecot ready. C: C01 CAPABILITY S: * CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS STARTTLS LOGINDISABLED AUTH=GSSAPI S: C01 OK Capability completed. C: A01 AUTHENTICATE GSSAPI ... S: + ... C: S: + ... C: ... S: A01 OK Logged in. Authenticated. Security strength factor: 0 * LOGOUT * BYE Logging out * OK Logout completed. Connection closed. lakeview ok % whoami bmc Server side: Oct 29 09:31:28 castro dovecot: auth(default): gssapi(?,:::172.16.2.249): Invalid response length Oct 29 09:31:35 castro dovecot: imap-login: Aborted login: method=GSSAPI, rip=:::172.16.2.249, lip=:::98.197.197.167, TLS Oct 29 10:14:21 castro dovecot: imap-login: Login: user=, method=GSSAPI, rip=:::172.16.2.249, lip=:::98.197.197.167 Oct 29 10:14:24 castro dovecot: IMAP(bmc): Disconnected: Logged out Actual data is omitted and replaced with "...", because I'm not sure whether any sensitive information is passed. If no sensitive information is passed, or that information can be readily destroyed (say, with kdestroy and kinit), then I'm happy to provide a full transcript. If a DD really needs a test account, I'm happy to provide one of those, too; simply send me an email with your preferred username. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.23-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages cyrus-clients-2.3 depends on: ii libc62.6.1-6 GNU C Library: Shared libraries ii libdb4.4 4.4.20-11 Berkeley v4.4 Database Libraries [ ii libsasl2-2 2.1.22.dfsg1-16 Cyrus SASL - authentication abstra ii libssl0.9.8 0.9.8g-1SSL shared libraries cyrus-clients-2.3 recommends no packages. -- no debconf information -- brian m. carlson / brian with sandals: Houston, Texas, US +1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only a typesetting engine: http://crustytoothpaste.ath.cx/~bmc/code/thwack OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature