Bug#628525: libsasl2-modules-gssapi-mit: authentication now fails always

Mon May 30 10:12:46 UTC 2011

Hi Brian,

is it auxprop or saslauthd based?

Could you please test using sample-sasl-{client,server} for auxprop
and testsaslauthd for saslauthd?

And post results here?

Also would you be willing to help us setup testing krb environment?
I'll create a kvm image with krb5 and will test new releases with
that, but it's very hard to debug something we don't use :(.

Thanks,
O.

2011/5/29 brian m. carlson <sandals at crustytoothpaste.net>:
> Package: libsasl2-modules-gssapi-mit
> Version: 2.1.24~rc1.dfsg1+cvs2011-05-23-2
> Severity: grave
>
> I use Kerberos 5 for my IMAP and SMTP servers.  Previously, everything
> worked flawlessly.  Now, mutt crashes on trying to store a message in
> the Sent folder, and cyrus-clients-2.4's imtest and smtptest report
> failure to authenticate with GSSAPI:
>
>  lakeview ok % imtest -t "" -m GSSAPI -a bmc -u bmc imap.crustytoothpaste.net
>  S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED AUTH=GSSAPI] Dovecot ready.
>  C: S01 STARTTLS
>  S: S01 OK Begin TLS negotiation now.
>  verify error:num=20:unable to get local issuer certificate
>  verify error:num=27:certificate not trusted
>  verify error:num=21:unable to verify the first certificate
>  TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
>  C: C01 CAPABILITY
>  S: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=GSSAPI
>  S: C01 OK Pre-login capabilities listed, post-login capabilities have more.
>  C: A01 AUTHENTICATE GSSAPI YIICiwYJKoZIhvcSAQICAQBuggJ6MIICdqADAgEFoQMCAQ6iBwMFAAAAAACjggGHYYIBgzCCAX+gAwIBBaEWGxRDUlVTVFlUT09USFBBU1RFLk5FVKIuMCygAwIBA6ElMCMbBGltYXAbG2Nhc3Ryby5jcnVzdHl0b290aHBhc3RlLm5ldKOCAS4wggEqoAMCARKhAwIBA6KCARwEggEY5reXqwcg0WR+ETBz73n1QUtnDTrjSe5vCjmFmk26vFaNU880mW+rcoV4hID9uw6OgTooVQE72qtjeRVhucou5f2Pio5cIJbiHQC6J5vDX8hFwXVT6I7kUJDYxKk35FoO2Ibg48Qr6GWURsuJB5sat8ckKuf4Ak64bCginAO+axm4kwFHHWG+6Kjzdheavd79YpToY5eyY8BoxRcqI3tDIwQOrX1xYK3mQWx38UaVojFDWpy96bpmLARKkxrPrxquzqAlmBTM/mevVMO8QtA6D7zwTSXa69qIi/zrb4c6ooZLtco2VoC996RLxxKWTYHoQGjKDAswkTEG9WqkyJslBap1Xba/s+fs3xQzLrInxLRl+FQTiI4RYqSB1TCB0qADAgESooHKBIHHtDYwVHiLz7F+4HJ+YuBGC+TIbFylSvVX0B8afUMUxyKXYQ4eVu4700nJ5Pj0K3ipY4sZIEZ6TYhSlcMH4TNWwBSb/GV0GM1FC+B9WCwJ0RSEfKf0C49r+De51SUwXPW5rM5aMauKnmbaAiEQ1MCjTnvwTrWHYo/2T21OkouvSrt/2p7aZKaM+P6c5rwVW+DlsGoSooezWVxRvLCf4wArFK2IVbwIsYRXJ38puE2qq8UNyqx1RT6nmM7DUzHfbTATOhQLSdy4nA==
>  S: +
>  C: *
>  Authentication failed. generic failure
>  Security strength factor: 256
>  A01 BAD Authentication aborted by client.
>  L01 LOGOUT
>  * BYE Logging out
>  L01 OK Logout completed.
>  Connection closed.
>  lakeview ok % smtptest -t "" -m GSSAPI -a bmc -u bmc smtp.crustytoothpaste.net
>  S: 220 castro.crustytoothpaste.net ESMTP Sendmail 8.14.4/8.14.4/Debian-2; Sun, 29 May 2011 19:45:44 GMT; (No UCE/UBE) logging access from: [IPv6:2001:470:1f05:79:216:d3ff:feb3:801e](FAIL)-[IPv6:2001:470:1f05:79:216:d3ff:feb3:801e]
>  C: EHLO smtptest
>  S: 250-castro.crustytoothpaste.net Hello [IPv6:2001:470:1f05:79:216:d3ff:feb3:801e], pleased to meet you
>  S: 250-ENHANCEDSTATUSCODES
>  S: 250-PIPELINING
>  S: 250-EXPN
>  S: 250-VERB
>  S: 250-8BITMIME
>  S: 250-SIZE
>  S: 250-DSN
>  S: 250-ETRN
>  S: 250-AUTH GSSAPI CRAM-MD5 DIGEST-MD5
>  S: 250-STARTTLS
>  S: 250-DELIVERBY
>  S: 250 HELP
>  C: STARTTLS
>  S: 220 2.0.0 Ready to start TLS
>  verify error:num=18:self signed certificate
>  TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
>  C: EHLO smtptest
>  S: 250-castro.crustytoothpaste.net Hello [IPv6:2001:470:1f05:79:216:d3ff:feb3:801e], pleased to meet you
>  S: 250-ENHANCEDSTATUSCODES
>  S: 250-PIPELINING
>  S: 250-EXPN
>  S: 250-VERB
>  S: 250-8BITMIME
>  S: 250-SIZE
>  S: 250-DSN
>  S: 250-ETRN
>  S: 250-AUTH GSSAPI CRAM-MD5 DIGEST-MD5 PLAIN
>  S: 250-DELIVERBY
>  S: 250 HELP
>  C: AUTH GSSAPI
>  S: 334
>  C: YIICiwYJKoZIhvcSAQICAQBuggJ6MIICdqADAgEFoQMCAQ6iBwMFAAAAAACjggGHYYIBgzCCAX+gAwIBBaEWGxRDUlVTVFlUT09USFBBU1RFLk5FVKIuMCygAwIBA6ElMCMbBHNtdHAbG2Nhc3Ryby5jcnVzdHl0b290aHBhc3RlLm5ldKOCAS4wggEqoAMCARKhAwIBAqKCARwEggEYV0x6ecoU3d3mHm6z9vwtboNFpb3KkkkZQ5rDf8Mlz9XV+Gi7ogvv5bXEECNDfFqXfTsal+vIyUsy8ItMGEUzXHvj6SoYDMM//umHk/q6LCKTrZmj0YkhwFEa6hXloRRpg9f8RLznOIPppHCfqUYzMEdhPIM3sH9bddRThTL3SwjHO/HzBjxinB6HJLNZUIxHn4uE39qNR5H4P/cbnGP8kprt28JN1LqTS9jcRXaJ4jm986cDvoBrEZ6xhXiUAniNuVMKlcGkWYTkoeDxRfJRUdxwhHQV40GJvgyIQG7/BEjRYMghAmWQzQwGRWASIDKluAxVbGuPRsgYdpcRNLv0yooATABCtdOdNRPED1iQQrkTnVJvCYTfdqSB1TCB0qADAgESooHKBIHHOinl6v8FtOdETIIWX8xkpzk8CNOS032OYgZRiPyaLeZ1cAZlLLyadZ4b1XhajP/L+HmQw4/sUuEEBDKVjzGssR5WbczQsvzn7rqrgyy7BnXof+GERDWiivU3zNRV2YArA0FB1KsXhpr2/Ujf9ZsaHKGTv73AXTtUw4j0ZNETgG8NTHZ+2bUMMYgZbQ7wLSWcSkXgjx8e3LO5Z1j1adbjsY1f9y2NxVnQEcFMNjAi389sFbxEOHd7Q/rNJWhYxIKuanM1V7WeHg==
>  S: 334
>  C: *
>  Authentication failed. generic failure
>  Security strength factor: 256
>  501 5.0.0 AUTH aborted
>  QUIT
>  221 2.0.0 castro.crustytoothpaste.net closing connection
>  Connection closed.
>
> If I downgrade to version 2.1.24~rc1.dfsg1+cvs2011-05-23-1, I still see
> the bug, but 2.1.23.dfsg1-8 works fine.
>
> -- System Information:
> Debian Release: wheezy/sid
>  APT prefers unstable
>  APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.39-1-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages libsasl2-modules-gssapi-mit depends on:
> ii  libc6   2.13-4                           Embedded GNU C Library: Shared lib
> ii  libcome 1.41.12-4                        common error description library
> ii  libgssa 1.9+dfsg-1+b1                    MIT Kerberos runtime libraries - k
> ii  libk5cr 1.9+dfsg-1+b1                    MIT Kerberos runtime libraries - C
> ii  libkrb5 1.9+dfsg-1+b1                    MIT Kerberos runtime libraries
> ii  libsasl 2.1.24~rc1.dfsg1+cvs2011-05-23-2 Cyrus SASL - pluggable authenticat
> ii  libssl1 1.0.0d-2                         SSL shared libraries
>
> libsasl2-modules-gssapi-mit recommends no packages.
>
> libsasl2-modules-gssapi-mit suggests no packages.
>
> -- no debconf information
>
> --
> brian m. carlson / brian with sandals: Houston, Texas, US
> +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
> OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
>
> _______________________________________________
> Pkg-cyrus-sasl2-debian-devel mailing list
> Pkg-cyrus-sasl2-debian-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cyrus-sasl2-debian-devel
>

-- 
Ondřej Surý <ondrej at sury.org>