[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SASL and PAM



On Mon, Feb 04, 2002 at 09:18:08AM -0500, Arthur Gong - Eipoo Technologies, Inc. wrote:

> Can someone help me to understand how SASL works with PAM or verify my
> understanding?

> I found the following explanation from
> http://www.sendmail.org/~ca/email/cyrus/sysadmin.html

> ...
> The PAM authentication for SASL only affects the plaintext authentication it
> does. It has no effect on the other mechanisms, so it is incorrect to try to
> use PAM to enforce additional restrictions beyond correct password on an
> application that uses SASL for authentication.
> ...

> Does it mean that SASL/PAM only works AUTH=PLAIN? (my understanding: it
> doesn't work with AUTH=LOGIN)

Although PAM is capable of using non-plaintext authentication methods 
through binary prompts, most PAM password-handling modules are 
plaintext-only, and most PAM modules that aren't have corresponding SASL 
mechanisms.  I don't believe anyone has worked out what needs to happen 
in order to do PAM binary prompts through SASL -- you would probably 
still be using AUTH=PLAIN, though, because there's no way for PAM to 
signal to SASL what types of modules are in use.

Steve Langasek
postmodern programmer

Attachment: pgp00001.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []