Cyrus IMAP Presentation

[Eric Estabrooks]

Ken Murchison wrote:

>Quoting Eric Estabrooks <eric at urbanrage.com>:
>
>  
>
>>    
>>
>>>      
>>>
>>It should be possible to write a pam module (or extend an existing one) 
>>to include other mechanisms beside plain, if like you said you had plain 
>>    
>>
>
>My understanding of PAM is that you can't retrieve the password.  You simply 
>pass it a user, password and service and PAM tells you whether it is 
>correct/allowed or not.  I haven't checked the PAM API, so maybe there is a 
>way.
>

There isn't as far as I know, you can do it by perverting the messaging 
interface,  but that would be bad. 

>  
>
>>text passwords available on the server side.  Of course there might be 
>>an additional restriction imposed by the sasl interface in that it might 
>>only present plain to the pam interface or the likes of saslauthd and 
>>try to resolve others internally or drop them if configured for using pam.
>>    
>>
>
>Assuming that youy can get PAM to return the plaintext password, you'd have to 
>write a PAM auxprop plugin.  SASL only uses auxprop to fetch the plaintext 
>passwords (as opposed to checking the validity, which it does via saslauthd).
>  
>

Ah, I was looking at it from the other side thinking saslauthd would 
pass in the base64 encoded challenge response from cram and the pam 
module would still do a success/fail response by replicating the hmac 
functionality internally.

Eric

>  
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
Url : https://lists.andrew.cmu.edu/mailman/private/info-cyrus/attachments/20020922/cb542af3/smime.bin