New authentication method

Joe Ammann joe at pyx.ch
Mon Nov 28 12:22:16 EST 2005


On Monday 28 November 2005 15:36, Alexey Melnikov wrote:
> Joe Ammann wrote:
> >I've been tasked to implement a new way of authentication for SASL, which
> >works like this: A HTTP POST request with username, cleartext password and
> >realm is passed to a webserver which either answers with a HTTP 200
> > response (meaning authentication is ok) or a HTTP 403 response (meaning
> > that authentication failed).
[..]
> >1) An auxprop plugin is not adequate, because such a plugin would need to
> >fetch the password from somewhere and return it to SASL, which then
> > performs the verification. This does not fit the pattern at hand.
>
> Correct.

Thank you for confirmation.

> >2) A saslauthd mech type (like PAM or RIMAP) looks like an easy way to go,
> > but saslauthd does not seem to have a "runtime plugin concept" (with
> > shared libraries). I would need to change the source of saslauthd an
> > replace the existing binary on the machine.
>
> saslauthd has replaced the pwcheck daemon. So I think this is the proper
> way.

That's what I got down to also. Good to hear that you agree :-)

Looked around in the saslauthd code a bit deeper, adding a mechanism seems 
rather straightforward. One question: Would there be any chance that a clean 
patch would be accepted into the baseline of cyrus-sasl?

Currently I'm looking into adding 2 new mechanims:

auth_externalscript: call an external script, pass it the info (user, info, 
service, realm) via stdout, check the exit status of the script for 
indication of success/failure, in case of failure take the first line of 
stdout as the response string of the auth function

auth_httpform: pass the info to a HTTP POST form, expect either a HTTP status 
200 (meaning success) or 403 (meaning forbidden). In case of 403 take the 
HTTP response as the response string of the auth function

Any comments? Does this sound reasonable?

CU, Joe


More information about the Cyrus-sasl mailing list