6 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Re: Question abou...
FromSent OnAttachments
John RuddFeb 1, 2003 7:14 pm 
Sam VarshavchikFeb 2, 2003 7:49 am 
John RuddFeb 2, 2003 12:07 pm 
Sam VarshavchikFeb 2, 2003 1:08 pm 
John RuddFeb 2, 2003 1:56 pm 
Sam VarshavchikFeb 2, 2003 3:47 pm 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: [courier-users] Re: Question about Courier and AFSActions...
From:John Rudd (jru@ucsc.edu)
Date:Feb 2, 2003 1:56:48 pm
List:net.sourceforge.lists.courier-users

On Sunday, Feb 2, 2003, at 12:52 US/Pacific, Sam Varshavchik wrote:

John Rudd writes:

This is not an application. This is a system-level daemon, which needs to both drop root, and gain root in certain, well-defined instances.

I was using application in a generic sense, in that it is a user-space program.

Neither it is a completely transitory program either. Parts of it are transitory, other parts of it are not.

You can deal with token refreshing for that, too. It's more tricky, but it can be done.

Ok, what if I wanted to: a) put user information in LDAP (or, really, in anything other than the passwd file), but the password field will be something like "*REJECT*" (which, for the Unix crypt field, will never match an incoming password) (either the data would be public, and thus courier woudn't have to do anything special in order to bind to get the record, or courier would bind using it's own authentication information, and that authentication identity would have access for reading those records) b) have passwords in some thing that is reachable via PAM (kerberos, radius, etc.)

No.

Furthermore: once again, whatever validates CRAM-MD5 or CRAM-SHA1 passwords must have access to plain text passwords. This theoretical configuration still does not eliminate for the server to have the actual plaintext password, in order to calculate the HMAC keys.

In this scenario, I wasn't saying anything about using CRAM-MD5 or CRAM-SHA1 passwords (sorry if that wasn't clear). Or is that a requirement for courier? If so, how do you use /etc/passwd passwords on systems that are using DES/crypt based passwords?

So, I'd want courier to do authentication via PAM, and PAM only ... and then get the user information stuff from whatever repository is being used for item a. How hard would it be to make courier do that? Hopefully, I could do it without having to modify any source code?

Nope. You'll need to write code.

Does that mean that if I use PAM for authentication, I have to use /etc/passwd for the user information? will PAM work with any other information mechanisms?