cyrus imap without sasl

Rob Siemborski rjs3 at andrew.cmu.edu
Thu Sep 19 08:55:28 EDT 2002


On Thu, 19 Sep 2002, GOMBAS Gabor wrote:

> On Thu, Sep 19, 2002 at 02:29:24AM -0700, David Wright wrote:
>
> > It's true, there isn't a need, meaning Cyrus could have been designed to
> > use PAM directly as a security layer and not used SASL.
>
> Huh? PAM is not a security layer. It is an API designed for local
> authentication only. On the other hand, SASL is a _protocol_ designed
> for remote client-server authentication, encryption and integrity
> protection. There is _no_ relation between SASL and PAM. Of course you
> can use PAM to implement the PLAIN SASL authentication method, and it is
> also possible that some PAM module might use SASL to talk to a remote
> authentication service, but these are implementation details.

David would have been more correct if he had said libsasl, which does
provide *some* PAM-like functionality, namely the ability to verify
plaintext passwords outside of the context of a SASL negotiation.  A long
while ago the decision was made to break all authentication-related code
out into libsasl.  This was done so that we would only have to maintain
one copy of the code, regardless of how the system was configured.  I'd
hate to see the disaster of misconfigurations we would have right now
if you had to worry about if Cyrus was handling authentication or if
libsasl was.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper






More information about the Info-cyrus mailing list