Bug#628525: libsasl2-modules-gssapi-mit: authentication now fails always
Dan White
dwhite at olp.net
Fri Jun 3 02:22:07 UTC 2011
On 02/06/11 18:43 +0000, brian m. carlson wrote:
>On Tue, May 31, 2011 at 09:13:26AM -0500, Dan White wrote:
>> Do you also receive an error without starttls? I just installed
>> 2.1.24~rc1.dfsg1+cvs2011-05-23-2 and was able to reproduce this error,
>> but only while doing '-t ""', or '-s' (against cyrus imap). I was able
>> to successfully authenticate with:
>>
>> $ imtest -m gssapi imap.example.org
>
>Yes, that does seem to work correctly. For me, however, a non-TLS
>configuration is a non-starter, and anyway, SASL should not act
>differently over an encrypted connection versus a non-encrypted one.
I'm starting to suspect this is a client side problem (with imtest). With
the patch below, this command works:
cyradm --auth gssapi --tlskey "" imap.example.org
but this command still produces the error you're seeing:
imtest -m gssapi -t "" imap.example.org
I wonder if this might have something to do with changes due to the recent
starttls vulnerability. I'll take a closer look.
>> I get a segfault with mutt (with or without -s or -t), so this may
>> actually be two different problems. For both problems, I get the same
>> result regardless of whether I have libsasl2-modules-gssapi-heimdal or
>> libsasl2-modules-gssapi-mit installed.
The segfaulting problem is fixed for me after applying the patch tied to
this bug report:
http://bugzilla.cyrusimap.org/bugzilla3/show_bug.cgi?id=3445
--
Dan White
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list