Commit 6cb67de1 authored by Eric S. Raymond's avatar Eric S. Raymond

Kerberos integration, stage 3.

svn path=/trunk/; revision=283
parent dcc47970
......@@ -310,8 +310,8 @@ char **argv;
for (hostp = hostlist; hostp; hostp = hostp->next)
if (hostp->active && !(implicitmode && hostp->skip) && !hostp->password[0])
{
if (hostp->protocol == P_KPOP)
/* Server doesn't care what the password is, but there
if (hostp->authenticate == A_KERBEROS)
/* Server won't care what the password is, but there
must be some non-null string here. */
(void) strncpy(hostp->password,
hostp->remotename, PASSWORDLEN-1);
......@@ -395,7 +395,6 @@ int proto;
case P_POP3: return("POP3"); break;
case P_IMAP: return("IMAP"); break;
case P_APOP: return("APOP"); break;
case P_KPOP: return("KPOP"); break;
default: return("unknown?!?"); break;
}
}
......@@ -435,7 +434,6 @@ struct hostrec *queryctl;
break;
case P_POP3:
case P_APOP:
case P_KPOP:
return(doPOP3(queryctl));
break;
case P_IMAP:
......@@ -488,7 +486,10 @@ struct hostrec *queryctl;
printf(" APOP secret = '%s'\n", queryctl->password);
else
printf(" Password = '%s'\n", queryctl->password);
printf(" Protocol is %s", showproto(queryctl->protocol));
if (queryctl->protocol == P_POP3 && queryctl->port == KPOP_PORT)
printf(" Protocol is KPOP");
else
printf(" Protocol is %s", showproto(queryctl->protocol));
if (queryctl->port)
printf(" (using port %d)", queryctl->port);
else if (outlevel == O_VERBOSE)
......
......@@ -12,12 +12,17 @@
***********************************************************************/
/* constants designating the various supported protocols */
#define P_AUTO 0
#define P_POP2 2
#define P_POP3 3
#define P_IMAP 4
#define P_APOP 5
#define P_KPOP 6
#define P_AUTO 0
#define P_POP2 2
#define P_POP3 3
#define P_IMAP 4
#define P_APOP 5
#define KPOP_PORT 1109
/* authentication types */
#define A_PASSWORD 0 /* passwords in cleartext */
#define A_KERBEROS 1 /* get Kerberos V4 ticket */
/* definitions for buffer sizes -- somewhat arbitrary */
#define POPBUFSIZE 512 /* per RFC 937 */
......@@ -62,6 +67,7 @@ struct hostrec
char mda [MDALEN+1];
int protocol;
int port;
int authenticate;
/* MDA arguments */
char *mda_argv[32];
......
......@@ -115,7 +115,7 @@ Post Office Protocol 3
.IP APOP
Use POP3 with MD5 authentication.
.IP KPOP
POP3 with Kerberos authentication.
Use POP3 with Kerberos authentication on port 1109.
.RE
.TP
.B \-P, --port
......@@ -123,6 +123,15 @@ The option permits you to specify a TCP/IP port to connect on.
This option will seldom be necessary as all the supported protocols have
well-established default port numbers.
.TP
.B \-A, --auth
This option permits you to specify an authentication type (see USER
AUTHENTICATION below for details). The possible values are
\&`\fBpassword\ffR and `\fBkerberos\fR'. This option is provided
primarily for developers; choosing KPOP protocol automatically selects
Kerberos authentication, and all other alternatives use ordinary
password authentication (though APOP uses a generated one-time
key as the password).
.TP
.B \-r folder, --remote folder
Causes a specified non-default mail folder on the mailserver to be retrieved.
The syntax of the folder name is server dependent, as is the default
......@@ -178,7 +187,7 @@ on the command line, each server in your
.I ~/.fetchmailrc
file will be queried.
.SH USER AUTHENTICATION
User authentication in
Normal user authentication in
.I fetchmail
is very much like the authentication mechanism of
.I ftp(1).
......@@ -230,6 +239,11 @@ file. Each time
logs in, it sends a cryptographically secure hash of your password and
the server greeting time to the server, which can verify it by
checking its authorization database.
.PP
If your \fIfetchmail\fR was built with Kerberos support and you specify
Kerberos authentication (either with --auth or the \fI.fetchmailrc\fR
option \fBauthenticate kerberos\fR) it will try to get a Kerberos
ticket from the mailserver at the start of each query.
.SH DAEMON MODE
The
.B --daemon
......@@ -339,6 +353,7 @@ Legal server options are:
port
skip
noskip
authenticate (or auth)
Legal user options are
......@@ -387,6 +402,17 @@ Legal protocol identifiers are
imap (or IMAP)
apop (or APOP)
kpop (or APOP)
.PP
Legal authentication types are `password' or `kerberos'. The former
specifies authentication by normal transmission of a password (the
password may be plaintext or subject to protocol-specific encryption
as in APOP); the second tells \fIfetchmail\fR to try to get a Kerberos
ticket at the start of each query instead, and send an arbitrary
string as the password.
.PP
Specifying \fBkpop\fR sets POP3 protocol over port 1109 with Kerberos
authentication. These defaults may be overridden by later options.
.PP
You can use the `noise' keywords \fBand\fR, \fBwith\fR,
\fBhas\fR, \fBwants\fR, and \fBoptions\fR anywhere in an entry to make
......
......@@ -27,19 +27,20 @@
#define LA_STDOUT 7
#define LA_FLUSH 8
#define LA_PROTOCOL 9
#define LA_DAEMON 10
#define LA_RCFILE 11
#define LA_USERNAME 12
#define LA_REMOTEFILE 13
#define LA_PORT 14
#define LA_SMTPHOST 15
#define LA_MDA 16
#define LA_LOGFILE 17
#define LA_QUIT 18
#define LA_NOREWRITE 19
#define LA_CHECK 20
#define LA_HELP 21
#define LA_YYDEBUG 22
#define LA_AUTHENTICATE 10
#define LA_DAEMON 11
#define LA_RCFILE 12
#define LA_USERNAME 13
#define LA_REMOTEFILE 14
#define LA_PORT 15
#define LA_SMTPHOST 16
#define LA_MDA 17
#define LA_LOGFILE 18
#define LA_QUIT 19
#define LA_NOREWRITE 20
#define LA_CHECK 21
#define LA_HELP 22
#define LA_YYDEBUG 23
static char *shortoptions = "P:p:VaKkvS:m:sFd:f:u:r:L:qN?";
static struct option longoptions[] = {
......@@ -52,6 +53,7 @@ static struct option longoptions[] = {
{"flush", no_argument, (int *) 0, LA_FLUSH },
{"protocol", required_argument, (int *) 0, LA_PROTOCOL },
{"proto", required_argument, (int *) 0, LA_PROTOCOL },
{"auth", required_argument, (int *) 0, LA_PROTOCOL },
{"daemon", required_argument, (int *) 0, LA_DAEMON },
{"fetchmailrc",required_argument,(int *) 0, LA_RCFILE },
{"user", required_argument, (int *) 0, LA_USERNAME },
......@@ -153,7 +155,11 @@ struct hostrec *queryctl;
else if (strcasecmp(optarg,"apop") == 0)
queryctl->protocol = P_APOP;
else if (strcasecmp(optarg,"kpop") == 0)
queryctl->protocol = P_KPOP;
{
queryctl->protocol = P_POP3;
queryctl->port = KPOP_PORT;
queryctl->authenticate == A_KERBEROS;
}
else {
fprintf(stderr,"Invalid protocol '%s'\n specified.\n", optarg);
errflag++;
......@@ -184,6 +190,17 @@ struct hostrec *queryctl;
case LA_PORT:
queryctl->port = atoi(optarg);
break;
case 'A':
case LA_AUTHENTICATE:
if (strcmp(optarg, "password") == 0)
queryctl->authenticate = A_PASSWORD;
else if (strcmp(optarg, "kerberos") == 0)
queryctl->authenticate = A_KERBEROS;
else {
fprintf(stderr,"Invalid authentication '%s'\n specified.\n", optarg);
errflag++;
}
break;
case 'S':
case LA_SMTPHOST:
if (fflag)
......@@ -224,22 +241,26 @@ struct hostrec *queryctl;
fputs("usage: fetchmail [options] [server ...]\n", stderr);
fputs(" Options are as follows:\n",stderr);
fputs(" -?, --help display this option help\n", stderr);
fputs(" -p, --protocol specify pop2, pop3, imap, apop, rpop, kpop\n", stderr);
fputs(" -V, --version display version info\n", stderr);
fputs(" -v, --verbose work noisily (diagnostic output)\n", stderr);
fputs(" -d, --daemon run as a daemon once per n seconds\n", stderr);
fputs(" -c, --check check for messages without fetching\n", stderr);
fputs(" -L, --logfile specify logfile name\n", stderr);
fputs(" -q, --quit kill daemon process\n", stderr);
fputs(" -f, --fetchmailrc specify alternate run control file\n", stderr);
fputs(" -p, --protocol specify pop2, pop3, imap, apop, rpop, kpop\n", stderr);
fputs(" -P, --port TCP/IP service port to connect to\n",stderr);
fputs(" -A, --auth authentication type\n",stderr);
fputs(" -u, --username specify users's login on server\n", stderr);
fputs(" -a, --all retrieve old and new messages\n", stderr);
fputs(" -F, --flush delete old messages from server\n", stderr);
fputs(" -K, --kill delete new messages after retrieval\n", stderr);
fputs(" -k, --keep save new messages after retrieval\n", stderr);
fputs(" -S, --smtphost set SMTP forwarding host\n", stderr);
fputs(" -q, --quit kill daemon process\n", stderr);
fputs(" -s, --silent work silently\n", stderr);
fputs(" -v, --verbose work noisily (diagnostic output)\n", stderr);
fputs(" -d, --daemon run as a daemon once per n seconds\n", stderr);
fputs(" -f, --fetchmailrc specify alternate run control file\n", stderr);
fputs(" -u, --username specify users's login on server\n", stderr);
fputs(" -r, --remote specify remote folder name\n", stderr);
fputs(" -L, --logfile specify logfile name\n", stderr);
fputs(" -c, --check check for messages without retrieving\n", stderr);
return(-1);
}
......
......@@ -100,13 +100,6 @@ char *greeting;
}
switch (queryctl->protocol) {
case P_KPOP:
#ifndef KERBEROS_V4
strcat (buf, "KPOP support not compiled into this executable.\n");
return(PS_ERROR);
#endif
/* fall through */
case P_POP3:
if ((gen_transact(socket,"USER %s", queryctl->remotename)) != 0)
return(PS_ERROR);
......@@ -221,12 +214,6 @@ struct hostrec *queryctl;
fprintf(stderr,"Option --remote is not supported with POP3\n");
return(PS_SYNTAX);
}
if (queryctl->protocol == P_KPOP)
{
struct method kpop_method = pop3;
kpop_method.port = 1109;
return(do_protocol(queryctl, &kpop_method));
}
return(do_protocol(queryctl, &pop3));
}
......
......@@ -27,6 +27,8 @@ defaults { return DEFAULTS; }
server { return SERVER; }
proto(col)? { return PROTOCOL; }
port { return PORT; }
auth(enticate)? { return AUTHENTICATE; }
kerberos { return KERBEROS; }
user(name)? { return USERNAME; }
pass(word)? { return PASSWORD; }
......@@ -60,7 +62,8 @@ options {/* EMPTY */}
(pop3)|(POP3) { yylval.proto = P_POP3; return PROTO; }
(imap)|(IMAP) { yylval.proto = P_IMAP; return PROTO; }
(apop)|(APOP) { yylval.proto = P_APOP; return PROTO; }
(kpop)|(KPOP) { yylval.proto = P_KPOP; return PROTO; }
(kpop)|(KPOP) { return KPOP; }
(#.*)?\\?\n { prc_lineno++; } /* newline is ignored */
......
......@@ -15,6 +15,7 @@
#include <config.h>
#include <stdio.h>
#include "fetchmail.h"
extern char *rcfile;
extern int prc_lineno;
extern int prc_errflag;
......@@ -25,13 +26,15 @@ int yydebug; /* in case we didn't generate with -- debug */
%union {
int proto;
int auth;
int flag;
char *sval;
}
%token DEFAULTS SERVER PROTOCOL
%token DEFAULTS SERVER PROTOCOL AUTHENTICATE KPOP KERBEROS
%token USERNAME PASSWORD FOLDER SMTPHOST MDA IS HERE THERE
%token <proto> PROTO
%token <auth> AUTHTYPE
%token <sval> STRING
%token <flag> KEEP FLUSH FETCHALL REWRITE PORT SKIP
......@@ -63,8 +66,15 @@ serverspecs : /* EMPTY */
;
serv_option : PROTOCOL PROTO {prc_setproto($2);}
| PROTOCOL KPOP {
prc_setproto(P_POP3);
prc_setauth(A_KERBEROS);
prc_setport(KPOP_PORT);
}
| PORT STRING {prc_setport($2);}
| SKIP {prc_setskip($1==FLAG_TRUE);}
| AUTHENTICATE PASSWORD {prc_setauth(A_PASSWORD);}
| AUTHENTICATE KERBEROS {prc_setauth(A_KERBEROS);}
;
/* the first and only the first user spec may omit the USERNAME part */
......
......@@ -20,7 +20,10 @@
#
# Legal keywords are
# server
# protocol (or proto)
# protocol (or proto) -- nuat be followed by a protocol ID
# port
# authenticate (or auth) -- must be followed by an authentication type
#
# username (or user)
# is
# remotefolder (or remote)
......@@ -38,7 +41,6 @@
# nofetchall
# norewrite
# noskip
# port
#
# Legal protocol identifiers are
# pop2 (or POP2)
......@@ -47,6 +49,10 @@
# apop (or APOP)
# kpop (or KPOP)
#
# Legal authentication types are
# login
# kerberos
#
# Basic format is
# server SERVERNAME protocol PROTOCOL username NAME password PASSWORD
# Example:
......@@ -62,7 +68,7 @@ server pop.provider.net proto pop3 user jsmith password secret1
server pop.provider.net proto pop3 user jsmith password secret1
server other.provider.net proto pop2 user John.Smith password My^Hat
# Other possibilities (note use of \ to escape newline -- this is all
# Other possibilities (note optional use of \ to escape newline -- this is all
# one server definition.
server pop.provider.net \
proto pop3 \
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment