PAM authentication - Remote host
Dan White
dwhite at olp.net
Wed Jul 14 09:42:56 EDT 2010
On 14/07/10 09:38 -0400, omalleys at msu.edu wrote:
> What you are saying is absolutely correct, and it is entirely possible to do.
> It should be included in the distribution.
>
> The -correct- way to do this would be to write a sasl pam module. :) however..
>
> If SASL_IPREMOTEPORT actually gets set by the application, it is
> callback to the application through the sasl2 library. IE the data is
> not actually passed to the sasl library when the authentication process
> starts. It is grabbed at a later point in time if needed.
>
> The sasl2 library sends a data string to saslauthd to do the authentication.
>
> As stated before the string that gets sent only contains 4 values and
> there is no interface for the callback to get the data.
>
> The other issue which I am not sure if it has been resolved or not, is
> in the definition of PAM_RHOST. Last I checked (a long while ago) it
> wasn't specified as to whether it should be an IP# or a hostname.
>
> I -believe- the SASL_IPREMOTEPORT data doesnt actually get sent to
> saslauthd for performance reasons. If you do a hostname lookup on the
> data, it tends to slow things down. I believe it is also one of the
> original reasons why the 4 arguments weren't hardcoded like they are
> now.
Also, the reason that environment variables are not seen by PAM is because
saslauthd runs in a separate process, and all authentication from calling
applications is performed by communicating to it over a unix socket.
--
Dan White
More information about the Cyrus-sasl
mailing list