fetchmail-devel

[fetchmail-devel] [PATCH] Fix KPOP

[Miloslav T. <mi...@re...>]

Hello,
fetchmail-6.3.6 restricts which authentication types may attempt to use
the PASS command for authentication.  KPOP is using PASS as well,
although it ignores the password, so KPOP is broken in 6.3.6.  The
attached patch fixes the problem.

Thanks,
	Mirek

Re: [fetchmail-devel] [PATCH] Fix KPOP

[Matthias A. <mat...@gm...>]

Miloslav Trmac schrieb am 2007-01-23:

> fetchmail-6.3.6 restricts which authentication types may attempt to use
> the PASS command for authentication.  KPOP is using PASS as well,
> although it ignores the password, so KPOP is broken in 6.3.6.  The
> attached patch fixes the problem.

Thank you, Mirek.

Perhaps I'm paranoid, but I would like to make sure that this KPOP PASS
%s can only ever send a fake password rather than the real one.
I'm assuming here that the KPOP stuff relies on a Kerberos ticket the
user has authenticated for separately, for instance, with kinit.

Questions:
1. Is my assumption above correct?

2. Can we send "PASS password" or "PASS secret" or "PASS
   using-kerberos-ticket-instead" literally, without falling back to the
   ->password field, in case the user accidentally configures it or leaves
   it in after switching to Kerberized POP?

3. Could some arrange a login and mail address for me on a KPOP server
   so I can test?  As far as I understand, KPOP implies POP3 on port 1109
   with out-of-band Kerberos IV authentication. (or perhaps Krb. V).

There is another 6.3.6 regression in the BerliOS bug tracker, so I'm
leaning towards a 6.3.7 release with just fixes for the two 6.3.6
regressions I know.

If someone has observed another regression, speak up *now*.

Thanks,

> --- fetchmail-6.3.6/pop3.c.kpop	2007-01-22 23:42:14.000000000 +0100
> +++ fetchmail-6.3.6/pop3.c	2007-01-22 23:44:28.000000000 +0100
> @@ -612,7 +612,11 @@
>  
>  	/* check if we are actually allowed to send the password */
>  	if (ctl->server.authenticate == A_ANY
> -		|| ctl->server.authenticate == A_PASSWORD) {
> +	    || ctl->server.authenticate == A_PASSWORD
> +	    || ((ctl->server.authenticate == A_KERBEROS_V4
> +		 || ctl->server.authenticate == A_KERBEROS_V5)
> +		&& ctl->server.service
> +		&& strcmp(ctl->server.service, KPOP_PORT) == 0)) {
>  	    strlcpy(shroud, ctl->password, sizeof(shroud));
>  	    ok = gen_transact(sock, "PASS %s", ctl->password);

I'd use sock, "PASS something" (without %s and without ctl->password)
here for KPOP if possible. Does that work?

Thanks

-- 
Matthias Andree

Re: [fetchmail-devel] [PATCH] Fix KPOP

[Miloslav T. <mi...@re...>]

Matthias Andree napsal(a):
> Perhaps I'm paranoid, but I would like to make sure that this KPOP PASS
> %s can only ever send a fake password rather than the real one.
> I'm assuming here that the KPOP stuff relies on a Kerberos ticket the
> user has authenticated for separately, for instance, with kinit.
> 
> Questions:
> 1. Is my assumption above correct?
The only KPOP server I could find is cyrus-imapd, which completely
ignores the password submitted with PASS.  I wasn't able to find any
specification of KPOP, so I don't know for sure.  I can imagine a server
that requires both Kerberos authentication and the correct password.

> 2. Can we send "PASS password" or "PASS secret" or "PASS
>    using-kerberos-ticket-instead" literally, without falling back to the
>    ->password field, in case the user accidentally configures it or leaves
>    it in after switching to Kerberized POP?
See 1.

> 3. Could some arrange a login and mail address for me on a KPOP server
>    so I can test?  As far as I understand, KPOP implies POP3 on port 1109
>    with out-of-band Kerberos IV authentication. (or perhaps Krb. V).
I'm afraid I don't have a permanently running computer available on
which I could set this up.
	Mirek

Re: [fetchmail-devel] [PATCH] Fix KPOP

[Matthias A. <mat...@gm...>]

On Wed, 31 Jan 2007, Miloslav Trmac wrote:

> The only KPOP server I could find is cyrus-imapd, which completely
> ignores the password submitted with PASS.  I wasn't able to find any
> specification of KPOP, so I don't know for sure.  I can imagine a server
> that requires both Kerberos authentication and the correct password.

Does KPOP still work with the attached patch? (Apply on top of your
patch.)

-- 
Matthias Andree

Re: [fetchmail-devel] [PATCH] Fix KPOP

[Miloslav T. <mi...@re...>]

Matthias Andree napsal(a):
> On Wed, 31 Jan 2007, Miloslav Trmac wrote:
>> The only KPOP server I could find is cyrus-imapd, which completely
>> ignores the password submitted with PASS.  I wasn't able to find any
>> specification of KPOP, so I don't know for sure.  I can imagine a server
>> that requires both Kerberos authentication and the correct password.
> Does KPOP still work with the attached patch? (Apply on top of your
> patch.)
I'm sorry about the delay.  fetchmail-6.3.7-rc1 works with cyrus-imapd
correctly.
	Mirek