On Jun 30, 2009, at 12:39 PM, Adam Megacz wrote:
In particular, I'm trying to use dovecot with pam_krb5 (which associates a ticket cache to a specific pid) and pam_afs_session (which associates tokens to a specific process authentication
group -- roughly equivalent to a process and all its descendents).Is it possible to authenticate first in one process and then do pam_setcred() in another?
Only if one process is a parent of the other (or a parent of a parent, etc). Or if they have a common parent which is unique to the connection (ie their common parent is not the parent of any other auth processes or connection-handling processes).
Doesn't sound doable then. Maybe reimplement the pam_* modules as
Dovecot modules :)
When dovecot is used in the mode where it forks a new authentication process for every connection, is the authentication process a child of the process which handles the rest of the connection, or vice versa? Or neither?
Neither. Only dovecot master process forks new processes. Being able
to do authentication from login processes would pretty much destroy
Dovecot's whole security model.