[prev in list] [next in list] [prev in thread] [next in thread] 

List:       info-cyrus
Subject:    Re: Cyrus IMAP Presentation
From:       Eric Estabrooks <eric () urbanrage ! com>
Date:       2002-09-22 16:54:27
[Download RAW message or body]


Ken Murchison wrote:

>Quoting Eric Estabrooks <eric@urbanrage.com>:
>
>  
>
>>    
>>
>>>      
>>>
>>It should be possible to write a pam module (or extend an existing one) 
>>to include other mechanisms beside plain, if like you said you had plain 
>>    
>>
>
>My understanding of PAM is that you can't retrieve the password.  You simply 
>pass it a user, password and service and PAM tells you whether it is 
>correct/allowed or not.  I haven't checked the PAM API, so maybe there is a 
>way.
>

There isn't as far as I know, you can do it by perverting the messaging 
interface,  but that would be bad. 

>  
>
>>text passwords available on the server side.  Of course there might be 
>>an additional restriction imposed by the sasl interface in that it might 
>>only present plain to the pam interface or the likes of saslauthd and 
>>try to resolve others internally or drop them if configured for using pam.
>>    
>>
>
>Assuming that youy can get PAM to return the plaintext password, you'd have to 
>write a PAM auxprop plugin.  SASL only uses auxprop to fetch the plaintext 
>passwords (as opposed to checking the validity, which it does via saslauthd).
>  
>

Ah, I was looking at it from the other side thinking saslauthd would 
pass in the base64 encoded challenge response from cram and the pam 
module would still do a success/fail response by replicating the hmac 
functionality internally.

Eric

>  
>



["smime.p7s" (application/x-pkcs7-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]