[prev in list] [next in list] [prev in thread] [next in thread] 

List:       info-cyrus
Subject:    Re: Cyrus IMAP Presentation
From:       Eric Estabrooks <eric () urbanrage ! com>
Date:       2002-09-22 23:03:54
[Download RAW message or body]


Henrique de Moraes Holschuh wrote:

>On Sun, 22 Sep 2002, Mathieu Arnold wrote:
>  
>
>>--On dimanche 22 septembre 2002 12:27 -0400 Ken Murchison <ken@oceana.com>
>>wrote:
>>
>>    
>>
>>>      
>>>
>>that is true, you can only give it a login and a *plain text* password,
>>then, pam checks for its validity, so, you cannot do digests auth. I
>>maintain the pam-pgsql freebsd port, and I can tell you that I've been
>>debugging it enough to know that :)
>>    
>>
>
>How does libpam-opie and openssh manage to do challenge-response auth
>through the PAM layer, then?
>
>  
>
Pam has a "conversation" callback that it make requests through, such as 
password or challenge/response requests (this is what libpam-opie uses). 
 This is the mechanism normally has text to display to the user and gets 
back the information the user types in.

 It could be abused to pass back the plaintext password, but all of the 
applications that used it would have to be programmed to know about this 
abuse and it's just not a nice use of that interface mechanism.  You 
could also use it as a sneaky way to provide uid, gid, home directory, 
and shell information to the ap (which pam currently doesn't seem to 
have a mechanism for, unless the setcred could do something like this), 
but it all happens before authentication has give a success/fail.


["smime.p7s" (application/x-pkcs7-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]