[Dovecot] Different classes of user
John Robinson
john.robinson at anonymous.org.uk
Wed Feb 14 19:17:53 UTC 2007
On 14/02/2007 18:39, Timo Sirainen wrote:
> On Wed, 2007-02-14 at 18:27 +0000, John Robinson wrote:
[...]
>> I'm sure I can't be the only person in the world who'd like to be
>> able
>> to handle with/without TLS differently. In fact, this might be of
>> interest to almost anyone with both system and virtual users. Timo?
>
> There was a patch to add '%c' variable to dovecot-auth which would say
> "TLS" or "SSL" or "". Or something like that. However that couldn't be
> passed to PAM.
>
> Yea, maybe the disable_plaintext_auth setting could be added inside
> passdbs. But not before v1.0, so you'll need to figure out another way
> to do this.
Right, I'm going to have to fudge it myself.
I propose to amend the syntax of the PAM service name in dovecot.conf,
and allow a placeholder character at the end of it (probably ?). At
runtime, if it's there, I'll either remove it or change it to an 's',
varying the service name supplied by dovecot to PAM depending on whether
the current connection uses TLS/SSL.
I'm not much of a C programmer, in fact I'm rusty at programming at all,
but I'll have a go. In passdb-pam.c:pam_verify_plain(), what can I do to
find out whether the current connection is using TLS/SSL? Hopefully this
will end up being a 5-line patch and I won't introduce any horrific
security hole.
Cheers,
John.
More information about the dovecot
mailing list