[Web-cyradm] Someone seen this before ?
Rob Siemborski
rjs3 at andrew.cmu.edu
Sat Jul 26 14:51:46 EDT 2003
On Sat, 26 Jul 2003 tom at bryntez.com wrote:
> A question ... why use the auxprop plugin instead of pam ? Is there
> any performance issues involved or what ?
>
> Thanks for your brilliant piece of software - cyrus-guys .... :-)
PAM only allows you to do password verification, essentially "is xyzzy the
password?" and get a "ok/no" response. This requires that the
plaintext password traverse the network (possibly under a TLS
layer).
Auxprop plugins allow you to use more secure mechanisms, such as CRAM-MD5
or DIGEST-MD5 because you have access to the password directly, instead of
just an ok/no answer.
It also eliminates a few tiers in the authentication hierarchy, compare:
cyrus -> sasl -> saslauthd -> pam -> pam_mysql -> mysql
to
cyrus -> sasl -> mysql auxprop -> mysql
-Rob
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper
More information about the Info-cyrus
mailing list