Menu
▾
▴
Re: [fetchmail-devel] [PATCH] Fix KPOP
|
From: Matthias A. <mat...@gm...> - 2007-01-31 09:20:36
|
Miloslav Trmac schrieb am 2007-01-23:
> fetchmail-6.3.6 restricts which authentication types may attempt to use
> the PASS command for authentication. KPOP is using PASS as well,
> although it ignores the password, so KPOP is broken in 6.3.6. The
> attached patch fixes the problem.
Thank you, Mirek.
Perhaps I'm paranoid, but I would like to make sure that this KPOP PASS
%s can only ever send a fake password rather than the real one.
I'm assuming here that the KPOP stuff relies on a Kerberos ticket the
user has authenticated for separately, for instance, with kinit.
Questions:
1. Is my assumption above correct?
2. Can we send "PASS password" or "PASS secret" or "PASS
using-kerberos-ticket-instead" literally, without falling back to the
->password field, in case the user accidentally configures it or leaves
it in after switching to Kerberized POP?
3. Could some arrange a login and mail address for me on a KPOP server
so I can test? As far as I understand, KPOP implies POP3 on port 1109
with out-of-band Kerberos IV authentication. (or perhaps Krb. V).
There is another 6.3.6 regression in the BerliOS bug tracker, so I'm
leaning towards a 6.3.7 release with just fixes for the two 6.3.6
regressions I know.
If someone has observed another regression, speak up *now*.
Thanks,
> --- fetchmail-6.3.6/pop3.c.kpop 2007-01-22 23:42:14.000000000 +0100
> +++ fetchmail-6.3.6/pop3.c 2007-01-22 23:44:28.000000000 +0100
> @@ -612,7 +612,11 @@
>
> /* check if we are actually allowed to send the password */
> if (ctl->server.authenticate == A_ANY
> - || ctl->server.authenticate == A_PASSWORD) {
> + || ctl->server.authenticate == A_PASSWORD
> + || ((ctl->server.authenticate == A_KERBEROS_V4
> + || ctl->server.authenticate == A_KERBEROS_V5)
> + && ctl->server.service
> + && strcmp(ctl->server.service, KPOP_PORT) == 0)) {
> strlcpy(shroud, ctl->password, sizeof(shroud));
> ok = gen_transact(sock, "PASS %s", ctl->password);
I'd use sock, "PASS something" (without %s and without ctl->password)
here for KPOP if possible. Does that work?
Thanks
--
Matthias Andree
|
