On 9.5.2004, at 00:38, jan@weitan.org wrote:
I would appreciate this feature as well. Because i am using postfix relaying with permit_tls_clientcerts and it just checks the fingerprints of the certs. It find it far more convenient than using something like pam and authorising with user accounts. Postfix can use this features also in combination with normal sasl methods.
I've been thinking about doing this lately as well. Shouldn't really be much of a job. Just tell OpenSSL library to require a valid client certificate. Optionally also force the cert's common name to be client's login name.
I think it would still be a good idea to use passwords as well. Wasn't the one OpenSSL hole a year ago exploitable only with servers requiring client certificates?..
Maybe the passwordless authentication would work just by keeping password fields empty in password database? Or maybe I'll just create a new "nocheck" passdb. EXTERNAL SASL mechanism would also be useful for this.
< Using OpenSSL for authentication brings
in tons of more code that has to be relied on. Your port 22 is closed or does not rely on the the OpenSSL lib ?
Closed except from a few IPs :)