I am trying to connect with my Google Apps account but Kopete cannot connect. I am getting a notification: "There was an error authenticating with the server: No appropriate authentication mechanism available. Offered mechanisms: X-OAUTH2, X-GOOGLE-TOKEN, PLAIN" Reproducible: Always Steps to Reproduce: 1. Settings > Configure > Accounts > Add Account > Jabber 2. Jabber ID = my Google Apps account email address, Remember password = checked 3. Connection: - Use legacy SSL encryption (tried both on and off - same result) - Allow plain-text password authentication = off (I surely will not even try that) - Override default server information: talk.google.com, port 5223 (tried 5222 too - same result) 4. Trying to connect Actual Results: Cannot connect. I am getting the notification quoted in the details. Expected Results: Successful connection. Using the exact same settings in Pidgin works perfectly. Note: The actual version I am using is: Version 1.6.60 Using KDE Development Platform 4.14.9 on openSUSE 13.2 x64 - updated from the official repository.
Additional info: same thing in Kopete 1.7.2
Same issue in Plasma 5 > System Settings > Online Accounts
(In reply to george from comment #0) > Offered mechanisms: X-OAUTH2, X-GOOGLE-TOKEN, PLAIN" As you can see google supports just some proprietary/google specific authentication mechanisms and *standard* PLAIN. > - Allow plain-text password authentication = off (I surely will not even try that) So You need to enable plain-text password authentication for logging into Google. Anyway, connection to Google XMPP server is encrypted by end-to-end TLS layer, so plain-text password is sent that encrypted connection. Kopete cannot do anything if XMPP server does not support more robust SCRAM-SHA256 authentication... So closing as INVALID.
> So You need to enable plain-text password authentication for logging into Google. In the meantime while waiting for your reply I tried that - without success. The tooltip above the system tray says "Malformed packet received" and it is the same in Telepathy. So the case is definitely. Please test with a regular Gmail account and you will see. Right now I have tested from openSUSE Leap 42.1 and Plasma (everything updated).
Check if you can connect with Psi IM client. It uses same XMPP library as Kopete.
(In reply to Pali Rohár from comment #5) > Check if you can connect with Psi IM client. It uses same XMPP library as > Kopete. Same problem. Even when I choose Legacy SSL I get: There was an error communicating with the server. Details: Authentication error: No appropriate mechanism available for given security settings (e.g. SASL library too weak, or plaintext authentication not enabled) Offered mechanisms: X-OAUTH2, X-GOOGLE-TOKEN, PLAIN
You need to use PLAIN mechanism (plain text password). Check that you enabled plain text authentication as written in error message.
(In reply to Pali Rohár from comment #7) > You need to use PLAIN mechanism (plain text password). Check that you > enabled plain text authentication as written in error message. I am not going to expose my credentials in plain text just because a program doesn't work properly. If it works in plain text authentication only, I would rather not use it. Sorry. Pidgin works without problem with encryption with the same account.
(In reply to george from comment #8) > I am not going to expose my credentials in plain text just because a program doesn't work properly. Blame google, not me or Kopete. > If it works in plain text authentication only, I would rather not use it. Sorry. That is another option, stop using google account. > Pidgin works without problem with encryption with the same account. But you still did not understand, that jabber password is sent in SSL tunnel? It is same as if you enter password in web browser. In 99.99% cases it is sent in plain text (under SSL tunnel).
I am not blaming Google because in Pidgin everything works. I just tried Psi with another (less important) Google account in plain text mode - exactly the same result.
(In reply to george from comment #10) > I just tried Psi with another (less important) Google account in plain text > mode - exactly the same result. Psi and Kopete use same XMPP library. Pidgen use another... In Kopete open XML console (right click on jabber account) and aftet that try to connect. In XML console should be full XMPP communication and also reason why login was rejected. Remove sensible information (like username+password) and post here full output. Maybe it could help for debugging...
It is telling me: <?xml version="1.0"?> <stream:stream xmlns:stream="http://etherx.jabber.org/streams" version="1.0" xmlns="jabber:client" to="gmail.com"> and in the tooltip above the clock I get "Malformed packet received".
Thats all what is in XML console? No <mechanism> lines? It looks weird. Check that you have opened XML console before trying to login... Also try to "kopete (jabber)" and "kopete (jabber - raw protocol)" in kdebugdialog application and then start kopete from terminal. On terminal there should be full XMPP communication too.
Yes, that's all. And the console is opened before trying to connect. I didn't understand that about kdbugdialog etc. Can you explain the steps?
Just start kdebugdialog application and enable those two checkboxes.
Created attachment 97907 [details] kopete debug output There you go. BTW when testing earlier with Telepathy I was getting the exact same result (I suppose they both use same libraries too?)
This looks really suspicious. No credentials were sent, no handshake and google closed connection even before it sent some response. Can you recheck that you have correct configuration? No legacy ssl and default server+port. Or you can set server to talk.google.com, port 5222 (no legacy ssl). If it still happens, please try to capture packages in wireshark. If configuration is OK, then for unknown reasons google (or ISP) blocks you. And telepathy does not use any jabber/xmpp library as Kopete. Which version of Kopete do you try?
I am using talk.google.com port 5223 - the same setting which I am using in Pidgin. No, my ISP does not block anything. I don't know how to capture with wireshark but as I explained the situation is exactly the same with Telepathy. What should I do? # rpm -q kopete kopete-15.12.2-14.1.x86_64
(In reply to george from comment #18) > I am using talk.google.com port 5223 ... > What should I do? You are using wrong port number, that could explain reason. Use 5222. That port is also stored in gmail.com DNS records: $ host -t SRV _xmpp-client._tcp.gmail.com _xmpp-client._tcp.gmail.com has SRV record 20 0 5222 alt4.xmpp.l.google.com. _xmpp-client._tcp.gmail.com has SRV record 20 0 5222 alt2.xmpp.l.google.com. _xmpp-client._tcp.gmail.com has SRV record 20 0 5222 alt3.xmpp.l.google.com. _xmpp-client._tcp.gmail.com has SRV record 20 0 5222 alt1.xmpp.l.google.com. _xmpp-client._tcp.gmail.com has SRV record 5 0 5222 xmpp.l.google.com.
Created attachment 97918 [details] kopete debug log using talk.google.com:5222, plaintext, no legacy SSL Ok, I have tried again. Settings: talk.google.com, port 5222, no legacy SSL The result is the attached log. As soon as I try to go Online, Kopete asks me for my password (although I have already entered it and remembered it in the account options). I enter it and tick the "Remeber" checkbox again. I attempts to login and again pops up asking for password. And so on to infinity. BUT! In the meantime I received an email on the Gmail account: ------ Sign-in attempt prevented Hi SANITIZED, Someone just tried to sign in to your Google Account SANITIZED@gmail.com from an app that doesn't meet modern security standards. Details: Wednesday, March 16, 2016 12:27 AM (LOCATION SANITIZED)* We strongly recommend that you use a secure app, like Gmail, to access your account. All apps made by Google meet these security standards. Using a less secure app, on the other hand, could leave your account vulnerable. Learn more. Google stopped this sign-in attempt, but you should review your recently used devices: ------ Than I went to https://myaccount.google.com/security and saw the option Allow less secure apps: OFF. I put it to ON and now I can connect. Put it back to OFF and I cannot. So it seems Kopete can connect only if using plaintext authentication and reducing the overall security of the Google account. I definitely don't feel safe doing this. Pidgin works with encryption turned on and without having to "Allow less secure apps". Can you fix that? Also - how do I debug to debug if the situation with Telepathy is the same? (which I suppose is quite possible) Maybe that might be worth a separate ticket.
(In reply to george from comment #20) > Created attachment 97918 [details] > kopete debug log using talk.google.com:5222, plaintext, no legacy SSL > > Ok, I have tried again. Settings: > > talk.google.com, port 5222, no legacy SSL Looks better. According to my dns output, google has all host+port information in dns, so default configuration (without overwriting host/port and enabling legacy ssl) should work. > The result is the attached log. As soon as I try to go Online, Kopete asks > me for my password (although I have already entered it and remembered it in > the account options). I enter it and tick the "Remeber" checkbox again. I > attempts to login and again pops up asking for password. And so on to > infinity. That means that server rejected your password (= authentication failed). > BUT! > > In the meantime I received an email on the Gmail account: > ------ > Sign-in attempt prevented > > Hi SANITIZED, > Someone just tried to sign in to your Google Account SANITIZED@gmail.com > from an app that doesn't meet modern security standards. > Details: > Wednesday, March 16, 2016 12:27 AM > (LOCATION SANITIZED)* > We strongly recommend that you use a secure app, like Gmail, to access your > account. All apps made by Google meet these security standards. Using a less > secure app, on the other hand, could leave your account vulnerable. Learn > more. > > Google stopped this sign-in attempt, but you should review your recently > used devices: > ------ > > Than I went to https://myaccount.google.com/security and saw the option > Allow less secure apps: OFF. I put it to ON and now I can connect. Put it > back to OFF and I cannot. > > So it seems Kopete can connect only if using plaintext authentication and > reducing the overall security of the Google account. I definitely don't feel > safe doing this. Pidgin works with encryption turned on and without having > to "Allow less secure apps". Some fancy google security. Nothing standard for jabber protocol. So now we know where is problem. This is great! Thanks for debugging. First problem is to properly set settings (no legacy ssl and correct port) and second is to disable some fancy google security. > Can you fix that? I see that google send this list of auth mechanisms: <mechanism>X-OAUTH2</mechanism> <mechanism>X-GOOGLE-TOKEN</mechanism> <mechanism>PLAIN</mechanism> First twos are some google non standard specific and last third is standard (plain text). I do not see there any secure SCRAM auth mechanism. So I would suspect that to connect without that google "less secure option" it is needed to support one of that first two specific google auth mechanisms... Anyway, Kopete for jabber connection (and also this authentication!) uses external libiris library. So I cannot fix this problem in Kopete. It would mean to implemented either X-OAUTH2 or X-GOOGLE-TOKEN in libiris. So please report this problem to upstream libiris project. Now when we know that this is 100% not in Kopete, I will close this bug as cannot do more. Project page of libiris is: https://github.com/psi-im/iris > Also - how do I debug to debug if the situation with Telepathy is the same? > (which I suppose is quite possible) Maybe that might be worth a separate > ticket. I have no idea hwo KDE Telepathy is working and how to debug it. Please ask this on Telepathy project.
https://github.com/psi-im/iris/issues/35
Hi, It looks like the developer has made some "hack" in the iris library after reporting the issue. https://github.com/psi-im/iris/issues/35#issuecomment-199154863 Can you please look into that and explain how to use that in conjunction with Kopete?
Git commit 3bff188483fd2ee01bb8310a511e8cc9a4808d22 by Pali Rohár. Committed on 21/10/2016 at 16:44. Pushed by pali into branch 'jabber-xoauth2'. Add support for X-OAuth2 authentication in Jabber protocol Based on Psi demo code from: https://github.com/psi-im/iris/issues/35 https://github.com/psi-plus/main/blob/master/patches/dev/xoauth2-support-demo.diff REVIEW: 129239 FIXED-IN: 16.12 M +3 -0 CMakeLists.txt M +4 -4 protocols/CMakeLists.txt M +5 -1 protocols/jabber/CMakeLists.txt M +4 -1 protocols/jabber/jabberaccount.cpp M +40 -0 protocols/jabber/jabberclient.cpp M +3 -0 protocols/jabber/jabberclient.h M +98 -0 protocols/jabber/ui/dlgjabbereditaccountwidget.ui A +76 -0 protocols/jabber/ui/dlgjabberxoauth2.cpp [License: GPL (v2+)] A +43 -0 protocols/jabber/ui/dlgjabberxoauth2.h [License: GPL (v2+)] A +161 -0 protocols/jabber/ui/dlgxoauth2.ui M +18 -1 protocols/jabber/ui/jabbereditaccountwidget.cpp M +1 -0 protocols/jabber/ui/jabbereditaccountwidget.h A +331 -0 protocols/jabber/xoauth2provider.cpp [License: GPL (v2+)] A +25 -0 protocols/jabber/xoauth2provider.h [License: GPL (v2+)] http://commits.kde.org/kopete/3bff188483fd2ee01bb8310a511e8cc9a4808d22
Support for X-OAuth2 is in kopete branch jabber-xoauth2, diff uploaded to reviewboard: https://git.reviewboard.kde.org/r/129239/
Thank you. I will test it as soon as it makes it to the openSUSE repos.
@george: If you do not want to compile Kopete, you can try it on Ubuntu/Kubuntu distributions. Daily kopete packages from git with that X-OAUTH2 patch are in repository: https://launchpad.net/~pali/+archive/ubuntu/kopete/+packages
Thanks Pali but I am not interested in changing the distro. My workstation works fine as it is now. I will test the new kopete version as soon as it makes it to the official openSUSE repos. Thank you for your attention!
You could use Live CD or USB pendrive for testing... But OK, nobody complained about that patch set, so I'm going to push it to git master...