Re: PAM authentication - Remote host

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 14/07/10 09:38 -0400, omalleys@xxxxxxx wrote:
What you are saying is absolutely correct, and it is entirely possible to do.
It should be included in the distribution.

The -correct- way to do this would be to write a sasl pam module. :) however..

If SASL_IPREMOTEPORT actually gets set by the application, it is callback to the application through the sasl2 library. IE the data is not actually passed to the sasl library when the authentication process starts. It is grabbed at a later point in time if needed.

The sasl2 library sends a data string to saslauthd to do the authentication.

As stated before the string that gets sent only contains 4 values and there is no interface for the callback to get the data.

The other issue which I am not sure if it has been resolved or not, is in the definition of PAM_RHOST. Last I checked (a long while ago) it wasn't specified as to whether it should be an IP# or a hostname.

I -believe- the SASL_IPREMOTEPORT data doesnt actually get sent to saslauthd for performance reasons. If you do a hostname lookup on the data, it tends to slow things down. I believe it is also one of the original reasons why the 4 arguments weren't hardcoded like they are now.

Also, the reason that environment variables are not seen by PAM is because
saslauthd runs in a separate process, and all authentication from calling
applications is performed by communicating to it over a unix socket.

Dan White

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux