New authentication method
Joe Ammann
joe at pyx.ch
Mon Nov 28 12:22:16 EST 2005
On Monday 28 November 2005 15:36, Alexey Melnikov wrote:
> Joe Ammann wrote:
> >I've been tasked to implement a new way of authentication for SASL, which
> >works like this: A HTTP POST request with username, cleartext password and
> >realm is passed to a webserver which either answers with a HTTP 200
> > response (meaning authentication is ok) or a HTTP 403 response (meaning
> > that authentication failed).
[..]
> >1) An auxprop plugin is not adequate, because such a plugin would need to
> >fetch the password from somewhere and return it to SASL, which then
> > performs the verification. This does not fit the pattern at hand.
>
> Correct.
Thank you for confirmation.
> >2) A saslauthd mech type (like PAM or RIMAP) looks like an easy way to go,
> > but saslauthd does not seem to have a "runtime plugin concept" (with
> > shared libraries). I would need to change the source of saslauthd an
> > replace the existing binary on the machine.
>
> saslauthd has replaced the pwcheck daemon. So I think this is the proper
> way.
That's what I got down to also. Good to hear that you agree :-)
Looked around in the saslauthd code a bit deeper, adding a mechanism seems
rather straightforward. One question: Would there be any chance that a clean
patch would be accepted into the baseline of cyrus-sasl?
Currently I'm looking into adding 2 new mechanims:
auth_externalscript: call an external script, pass it the info (user, info,
service, realm) via stdout, check the exit status of the script for
indication of success/failure, in case of failure take the first line of
stdout as the response string of the auth function
auth_httpform: pass the info to a HTTP POST form, expect either a HTTP status
200 (meaning success) or 403 (meaning forbidden). In case of 403 take the
HTTP response as the response string of the auth function
Any comments? Does this sound reasonable?
CU, Joe
More information about the Cyrus-sasl
mailing list