Cyrus IMAP Presentation
Eric Estabrooks
eric at urbanrage.com
Sun Sep 22 19:03:54 EDT 2002
Henrique de Moraes Holschuh wrote:
>On Sun, 22 Sep 2002, Mathieu Arnold wrote:
>
>
>>--On dimanche 22 septembre 2002 12:27 -0400 Ken Murchison <ken at oceana.com>
>>wrote:
>>
>>
>>
>>>
>>>
>>that is true, you can only give it a login and a *plain text* password,
>>then, pam checks for its validity, so, you cannot do digests auth. I
>>maintain the pam-pgsql freebsd port, and I can tell you that I've been
>>debugging it enough to know that :)
>>
>>
>
>How does libpam-opie and openssh manage to do challenge-response auth
>through the PAM layer, then?
>
>
>
Pam has a "conversation" callback that it make requests through, such as
password or challenge/response requests (this is what libpam-opie uses).
This is the mechanism normally has text to display to the user and gets
back the information the user types in.
It could be abused to pass back the plaintext password, but all of the
applications that used it would have to be programmed to know about this
abuse and it's just not a nice use of that interface mechanism. You
could also use it as a sneaky way to provide uid, gid, home directory,
and shell information to the ap (which pam currently doesn't seem to
have a mechanism for, unless the setcred could do something like this),
but it all happens before authentication has give a success/fail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
Url : https://lists.andrew.cmu.edu/mailman/private/info-cyrus/attachments/20020922/3da34d7e/smime.bin
More information about the Info-cyrus
mailing list