Summary |
Authentication via IMP does fail for some passwords while using IMAP directly does work |
Queue |
IMP |
Queue Version |
5.0.18 |
Type |
Bug |
State |
No Feedback |
Priority |
2. Medium |
Owners |
jan (at) horde (dot) org, mrubinsk (at) horde (dot) org, slusarz (at) horde (dot) org |
Requester |
tkrah (at) fachschaft (dot) imn (dot) htwk-leipzig (dot) de |
Created |
10/24/2011 (5004 days ago) |
Due |
|
Updated |
08/29/2012 (4694 days ago) |
Assigned |
02/27/2012 (4878 days ago) |
Resolved |
06/16/2012 (4768 days ago) |
Github Issue Link |
|
Github Pull Request |
|
Milestone |
|
Patch |
No |
commit 11e1e868c6d1494323fe42f97f5b5a09eae71dce
Author: Michael M Slusarz <slusarz@horde.org>
Date: Mon Feb 20 00:00:59 2012 -0700
Bug #10680: Use correct secret key to encrypt IMAP passwordimp/lib/Auth.php | 11 +++++++++++
imp/package.xml | 2 +-
2 files changed, 12 insertions(+), 1 deletions(-)
http://git.horde.org/horde-git/-/commit/11e1e868c6d1494323fe42f97f5b5a09eae71dce
not going to spend any more time personally trying to track down this
issue in Horde 4/IMP 5.
applied patch from
#9733- but problem is still there. No success yet.Assigned to Michael Rubinsky
State ⇒ Feedback
Bug #9733?Patch does not seem to work. Both commits applied.
However - now thunderbird is asking again after time for username +
password and i've got again those - authentication denied log messages
(which was gone using session_control = 'none').
I am applying:
76faef61dc154be79b95946f6cd3c16c6c6f29a1
and
11e1e868c6d1494323fe42f97f5b5a09eae71dce
I'll report back if it works.
To confirm - i have to remove the patch with session_control = 'none'
and upgrade to latest client? enough? Or have i have to apply the git
patches manually yet to test?
in IMP 5.1.
be great (since I was never able to reproduce in the first place).
commit 11e1e868c6d1494323fe42f97f5b5a09eae71dce
Author: Michael M Slusarz <slusarz@horde.org>
Date: Mon Feb 20 00:00:59 2012 -0700
Bug #10680: Use correct secret key to encrypt IMAP passwordimp/lib/Auth.php | 11 +++++++++++
imp/package.xml | 2 +-
2 files changed, 12 insertions(+), 1 deletions(-)
http://git.horde.org/horde-git/-/commit/11e1e868c6d1494323fe42f97f5b5a09eae71dce
commit 76faef61dc154be79b95946f6cd3c16c6c6f29a1
Author: Michael M Slusarz <slusarz@horde.org>
Date: Sun Feb 19 23:44:40 2012 -0700
[mms] Add Horde_Imap_Client_Base#setParam() (
Bug #10680)..../Imap_Client/doc/Horde/Imap/Client/UPGRADING | 4 ++
.../Imap_Client/lib/Horde/Imap/Client/Base.php | 42 ++++++++++++++-----
framework/Imap_Client/package.xml | 2 +
3 files changed, 37 insertions(+), 11 deletions(-)
http://git.horde.org/horde-git/-/commit/76faef61dc154be79b95946f6cd3c16c6c6f29a1
Version ⇒ 5.0.18
Queue ⇒ IMP
Priority ⇒ 2. Medium
in IMP 5.1.
commit 76faef61dc154be79b95946f6cd3c16c6c6f29a1
Author: Michael M Slusarz <slusarz@horde.org>
Date: Sun Feb 19 23:44:40 2012 -0700
[mms] Add Horde_Imap_Client_Base#setParam() (
Bug #10680)..../Imap_Client/doc/Horde/Imap/Client/UPGRADING | 4 ++
.../Imap_Client/lib/Horde/Imap/Client/Base.php | 42 ++++++++++++++-----
framework/Imap_Client/package.xml | 2 +
3 files changed, 37 insertions(+), 11 deletions(-)
http://git.horde.org/horde-git/-/commit/76faef61dc154be79b95946f6cd3c16c6c6f29a1
issue in IMP. Because Horde_Secret doesn't clearly indicate in its
API that this can occur.
mechanism to change the stored password once the object is created.
- The user is logging without cookies
- Horde_Secret falls back to session_id()
- During the login process, the password is stored encrypted with session_id
- After logging in, the session id is generated to protect against
session fixation
- The new session_id is no longer the valid key for the encrypted
password, so decrypting fails
Although I don't know if this is a limitation in Horde_Secret or an
issue in IMP. Because Horde_Secret doesn't clearly indicate in its
API that this can occur.
- The user is logging without cookies
- Horde_Secret falls back to session_id()
- During the login process, the password is stored encrypted with session_id
- After logging in, the session id is generated to protect against
session fixation
- The new session_id is no longer the valid key for the encrypted
password, so decrypting fails
some other reason, which made IMAP authentication in follow-up
requests fail. Most probably because the original secret was not used
when decrypting the password.
array(2) {
[0]=>
string(3) "imp"
[1]=>
string(0) ""
}
But
Bug #9733does remove session_control = 'none' -> Michael S. toldme to add this line (looks promising yet - enabled encryption and it
seems to work - will tell you if this helps next week - need some time
to verify things).
So the solution to remove the session_control = 'none' line would
result in "original" code which does match the original report.
Bug: 9733array(2) {
[0]=>
string(3) "imp"
[1]=>
string(0) ""
}
setCookie is called - i can confirm that only one call to setKey is
done per request.
output is:
array(2) {
[0]=>
string(4) "auth"
[1]=>
string(0) ""
}
Using session_control = 'none' the key is always empty - guess thats correct?
Should i test it with session_control patch active or not?
protected function _setCookie($keyname, $key)
{
+ Horde::debug(array($keyname, $key));
@setcookie(
$keyname . '_key',
You should only see one call per RPC call to set the 'imp' key.
1. Setup a shared calendar on the server that requires authentication
(I'm using imp auth authentication).
2. Creating a new calendar in Thunderbird/Lightning.
3. Enter username/password
4. ICS file is downloaded.
I can verify in
#3that if I put in the wrong password theauthentication fails.
Just for the heck of it... could you apply this diff:
diff --git a/horde/rpc.php b/horde/rpc.php
index a420f27..df8c789 100644
--- a/horde/rpc.php
+++ b/horde/rpc.php
@@ -42,6 +42,7 @@ if ((!empty($_SERVER['CONTENT_TYPE']) &&
} elseif (!empty($_SERVER['PATH_INFO']) ||
in_array($_SERVER['REQUEST_METHOD'], array('DELETE',
'PROPFIND', 'PUT', 'OPTIONS'))) {
$serverType = 'Webdav';
+ $session_control = 'none';
} elseif (!empty($_SERVER['CONTENT_TYPE'])) {
if (strpos($_SERVER['CONTENT_TYPE'],
'application/vnd.syncml+xml') !== false) {
$serverType = 'Syncml';
FYI: Here's what the Horde log looks like when authenticating via RPC:
2012-02-15T22:17:21-07:00 DEBUG: HORDE Load config file (hooks.php;
app: horde) [pid 13427 on line 865 of
"/disk2/src/horde/framework/Core/lib/Horde.php"]
2012-02-15T22:17:21-07:00 DEBUG: HORDE Hook browser_modify in
application horde called. [pid 13427 on line 1826 of
"/disk2/src/horde/framework/Core/lib/Horde.php"]
2012-02-15T22:17:21-07:00 DEBUG: HORDE Horde_Registry: retrieved app
with cache ID
horde_registry|app|1329184088|8bbed9e4eac921e350d64930c2cdc722 [pid
13427 on line 1730 of
"/disk2/src/horde/framework/Core/lib/Horde/Registry.php"]
2012-02-15T22:17:21-07:00 DEBUG: HORDE Load config file (hooks.php;
app: imp) [pid 13427 on line 865 of
"/disk2/src/horde/framework/Core/lib/Horde.php"]
2012-02-15T22:17:21-07:00 DEBUG: HORDE Hook preauthenticate in
application imp called. [pid 13427 on line 1826 of
"/disk2/src/horde/framework/Core/lib/Horde.php"]
2012-02-15T22:17:21-07:00 DEBUG: HORDE [imp] Load config file
(conf.php; app: imp) [pid 13427 on line 865 of
"/disk2/src/horde/framework/Core/lib/Horde.php"]
2012-02-15T22:17:21-07:00 DEBUG: HORDE [imp] Load config file
(backends.php; app: imp) [pid 13427 on line 865 of
"/disk2/src/horde/framework/Core/lib/Horde.php"]
2012-02-15T22:17:22-07:00 DEBUG: HORDE Hook preauthenticate in
application imp called. [pid 13427 on line 1826 of
"/disk2/src/horde/framework/Core/lib/Horde.php"]
2012-02-15T22:17:22-07:00 DEBUG: HORDE [gollem] Load config file
(conf.php; app: gollem) [pid 13427 on line 865 of
"/disk2/src/horde/framework/Core/lib/Horde.php"]
2012-02-15T22:17:22-07:00 DEBUG: HORDE [horde] Horde_Rpc::__construct
complete [pid 13427 on line 96 of
"/disk2/src/horde/framework/Rpc/lib/Horde/Rpc.php"]
2012-02-15T22:17:22-07:00 DEBUG: HORDE [horde] Hook preauthenticate in
application imp called. [pid 13427 on line 1826 of
"/disk2/src/horde/framework/Core/lib/Horde.php"]
2012-02-15T22:17:22-07:00 DEBUG: HORDE [horde] Hook postauthenticate
in application imp called. [pid 13427 on line 1826 of
"/disk2/src/horde/framework/Core/lib/Horde.php"]
http://lists.horde.org/archives/dev/Week-of-Mon-20120213/026993.html
which was (possibly) fixed by this:
http://lists.horde.org/archives/commits/2012-February/013996.html
encrypt/decrypt the password. You will have to trace the code to
discover why this is happening (adding Horde::debug() calls to
IMP_Imap::getEncryptKey() to track the key value would be useful).
Horde::debug() documentation: http://wiki.horde.org/Doc/Dev/DebugH4
In /usr/share/php/Horde/Imap/Client/Base.php it does help to comment
out the encryption stuff:
175 // Encrypt password.
176 /*
177 try {
178 $encrypt_key = $this->_getEncryptKey();
179 if (strlen($encrypt_key)) {
180 $secret = new Horde_Secret();
181 $this->_params['password'] =
$secret->write($encrypt_key, $this->_params['password']);
182 $this->_params['_passencrypt'] = true;
183 }
184 } catch (Exception $e) {}
185 */
After this things work - althoug the password won't be encrypted
anymore in the session. But if this does help, Horde_Secret stuff must
be the cause. Anyone an idea what may be happen here?
understand how the token process - encryption of the password in the
session - should work do check where it fails
have to track this down yourself.
how the token process - encryption of the password in the session -
should work do check where it fails; as it seems its the culprit here,
because the provided user password from the request is correct.
provide a patch.
1. The password sent from the client (tbird+lightning) is correct,
looking at the PHP_AUTH_PW line.
2. The stacktrace of the rpc call looks like this:
1. Horde_Rpc_Webdav->getResponse() /var/www/horde/rpc.php:146
2. Horde_Rpc_Webdav->ServeRequest() /usr/share/php/Horde/Rpc/Webdav.php:250
3. Horde_Rpc_Webdav->_check_auth() /usr/share/php/Horde/Rpc/Webdav.php:953
4. Horde_Rpc_Webdav->check_auth() /usr/share/php/Horde/Rpc/Webdav.php:2428
5. Horde_Core_Auth_Application->authenticate()
/usr/share/php/Horde/Rpc/Webdav.php:832
6. Horde_Core_Auth_Application->authenticate()
/usr/share/php/Horde/Core/Auth/Application.php:129
7. Horde_Auth_Base->authenticate()
/usr/share/php/Horde/Core/Auth/Application.php:132
8. Horde_Core_Auth_Application->_authenticate()
/usr/share/php/Horde/Auth/Base.php:146
9. Horde_Registry->callAppMethod()
/usr/share/php/Horde/Core/Auth/Application.php:161
10. call_user_func_array() /usr/share/php/Horde/Registry.php:1083
11. IMP_Application->authAuthenticate()
12. IMP_Auth::authenticate() /var/www/horde/imp/lib/Application.php:409
13. Horde::debug() /var/www/horde/imp/lib/Auth.php:80
3. The encoded session password taken from the imap->ob is garbage
like reported.
4. The password send to the imap socket (verified via debug statement
at lib level) is garbage too - but it differs from the one from 3.
I am stuck here. The client did sent the correct credentials - but
credentials sent to the socket are wrong and does differ from the
encoded one, to decoding seems to take place but there something is
going wrong.
Assigned to Jan Schneider
these RPC requests are generated/handled, so he is going to be more
helpful regarding this.
Although it is very troubling that this works "some of the time".
There's nothing worse than trying to track down an intermittent event.
URLs are kronolith calendar ones like, e.g.:
https://<HOST>/horde/rpc.php/kronolith/horde-test@software-friends.de/pyBNNE7pT-BN06bxQTExq_A.ics
Errors are occuring if Thunderbirds lightning calendar extension wants
to download the ics file; this fails with the mentioned auth denied
errors (details like imap server output with auth details and debug
stuff from imap session already mentioned in previous comments).
Sometimes it does succeed to fetch the ics - but in the long run,
thunderbird is asking for credentials over and over again as the
session becomes broken, although credentials submitted are valid.
Some note - maybe its relevant - i'll to not yet see this failure
using firefox plain https request, evolution or kontact.
It does fail @thunderbird only it seems - but because lightning does
submit correct credentials, it should not be the fault of the bird,
shouldn't it?
IIRC, your Horde is set up to use imp authentication?
How/when are you seeing these errors. You mentioned RPC calls -
provide full details as to these calls (e.g. URLs).
["password"]=>
string(16) "?k ^Z)<B6>b<B0>.p<BE>^W<D8>\<9B>"
thats the _passencrypt output:
["_passencrypt"]=>
bool(true)
of the password rather than the plaintext version. The question
becomes why this is happening?
#11below, is there any chance of checking tosee if the Horde_Imap object params array contains the '_passencrypt'
key?
Assigned to Michael Slusarz
State ⇒ Assigned
Priority ⇒ 1. Low
the password rather than the plaintext version. The question becomes
why this is happening?
mentioned in comment
#9, thats the dovecot auth output:MD5-CRYPT(;3<9A><CA><F1><B2>g:<FC><F1><F8>g<E3><FD><96>*) !=
'$1$a0dd526a$POYliZyTPtYiz.FGbo.0H0'
So it did receive this:
;3<9A><CA><F1><B2>g:<FC><F1><F8>g<E3><FD><96>*
The input from the user is correct, verified via debug statement in
the horde code you told me.
What to do now? Should i still enter debug statements to the horde
imap client code?
there a password string in the imap object output - which does not
macht the password from the credentials debug output:
["password"]=>
string(16) "?k )?b?.p??\?"
The only way to debug this will be to find out exactly what Horde is
sending to the IMAP server as a password. And this will either
require you to set up debugging on your IMAP server or by manually
entering debug statements in the IMAP client code
(Horde_Imap_Client_Socket class - _tryLogin() function).
there a password string in the imap object output - which does not
macht the password from the credentials debug output:
["password"]=>
string(16) "?k )?b?.p??\?"
Is this what you are looking for? If you still need te dump please let
me know, i'll sent you a private mail than.
generated. Right before the "if (!$imp_imap->ob)" line, insert a
debug statement:
Horde::debug($imp_imap->ob)
And report the debug output back here.
if (!$imp_imap->ob)
is false.
The password is what i expect, but the raw imaplog does not show those
password or the login command. The imap server does still deny
authentication (and raw logs from dovecot) are showing "garbage" as
password, not what the user entered above.
imap session output from horde:
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
C: [SASL-IR AUTHENTICATE Command - username: horde-test@software-friends.de]
C: [LOGIN Command - username: horde-test@software-friends.de]
dovecot auth output:
MD5-CRYPT(;3<9A><CA><F1><B2>g:<FC><F1><F8>g<E3><FD><96>*) !=
'$1$a0dd526a$POYliZyTPtYiz.FGbo.0H0'
So what dovecot does receive, is not what the user did entered (and is
show from the horde:debug line). Any ideas where things may break?
never output to the debug stream. So this won't work.
Instead, we will need to manually debug the code. In
imp/lib/Auth.php, on line 88 (just before the line
$imp_imap->createImapObject($credentials['userId'],
$credentials['password'], $credentials['server']);), insert the
following:
Horde::debug($credentials);
It should look like:
try {
Horde::debug($credentials);
$imp_imap->createImapObject($credentials['userId'],
$credentials['password'], $credentials['server']);
} catch (IMP_Imap_Exception $e) {
self::_logMessage(false, $imp_imap);
throw $e->authException();
}
Then check the debug output file (see below for further information).
You are looking for the 'password' entry - see if the password is what
you expect for that user.
----
Horde::debug() documentation: http://wiki.horde.org/Doc/Dev/DebugH4
1. calendar via kornolith does fail - email does work, login to horde
webfrontend
2. output from imap log does read:
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
C: [SASL-IR AUTHENTICATE Command - username: horde-test@software-friends.de]
C: [LOGIN Command - username: horde-test@software-friends.de]
imp/config/backends.php) of a successful vs. unsuccessful login for a
given username for us to begin to debug this.
authentication via horde or what is needed there for raw logs?
generated by IMP and see why it is not authenticating correctly.
unfortunately, you will have to do this on your own since this deals
with sensitive data (passwords) that you probably don't want to share
with the world.
Version ⇒ Git master
Queue ⇒ Kronolith
munge/mangle the password/username combination in Horde/IMP. The
login form is identical whether you are using 'IMP' authentication
or 'IMAP' authentication. (Similarly, this has nothing to do with
special characters since the login form is the same).
calls - it does work on the "http form" everytime. But e.g. kronolith
calendars getch via http + basic auth does fail.
munge/mangle the password/username combination in Horde/IMP. The
login form is identical whether you are using 'IMP' authentication
or 'IMAP' authentication. (Similarly, this has nothing to do with
special characters since the login form is the same).
users are reporting and what i've got from logs.
imp/config/backends.php) of a successful vs. unsuccessful login for
a given username for us to begin to debug this.
authentication via horde or what is needed there for raw logs?
munge/mangle the password/username combination in Horde/IMP. The
login form is identical whether you are using 'IMP' authentication or
'IMAP' authentication. (Similarly, this has nothing to do with special
characters since the login form is the same).
You will need to provide full debug logs (debug_raw = true in
imp/config/backends.php) of a successful vs. unsuccessful login for a
given username for us to begin to debug this.
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ Authentication via IMP does fail for some passwords while using IMAP directly does work
Due ⇒ 10/25/2011
Queue ⇒ IMP
Milestone ⇒
Patch ⇒ No
things or do imap directly.
IMAP does work fine (with patch from
#10679) for all my user accounts.Using IMP (which does use imap too in the backend) should work too -
but it does not for all accounts. Some users are unable to login and
dovecot logs reports invalid passwords provided.
Looking at the debug output from dovecot it seems, that if imp is used
to provide authentication, some passwords (guess with special chars in
it - only a guess) are not passed correct to the imap server - they
are different from what the user does provide.
Switching to imap auth using the same password does work. Looks like a
bug to me in imp authentication - can't tell where exactly but thats
the behaviour seen.