On 14/07/10 09:38 -0400, omalleys@xxxxxxx wrote:
What you are saying is absolutely correct, and it is entirely possible to do.
It should be included in the distribution.
The -correct- way to do this would be to write a sasl pam module. :) however..
If SASL_IPREMOTEPORT actually gets set by the application, it is
callback to the application through the sasl2 library. IE the data is
not actually passed to the sasl library when the authentication process
starts. It is grabbed at a later point in time if needed.
The sasl2 library sends a data string to saslauthd to do the authentication.
As stated before the string that gets sent only contains 4 values and
there is no interface for the callback to get the data.
The other issue which I am not sure if it has been resolved or not, is
in the definition of PAM_RHOST. Last I checked (a long while ago) it
wasn't specified as to whether it should be an IP# or a hostname.
I -believe- the SASL_IPREMOTEPORT data doesnt actually get sent to
saslauthd for performance reasons. If you do a hostname lookup on the
data, it tends to slow things down. I believe it is also one of the
original reasons why the 4 arguments weren't hardcoded like they are
now.
Also, the reason that environment variables are not seen by PAM is because
saslauthd runs in a separate process, and all authentication from calling
applications is performed by communicating to it over a unix socket.
--
Dan White
