18 Mar
2015
18 Mar
'15
1:47 a.m.
On 25 Feb 2015, at 20:59, Peter Mogensen apm@one.com wrote:
So, why not just extend the support for proxy authentication forwarding to any single-handskake SASL-IR mechanism, which doesn't use channel-binding? (which includes PLAIN, but also GS2-KRB5, and possibly others).
Yeah, I guess it would work for several of the auth mechanisms. It's a lot of work though and requires some larger changes to how authentication works. I don't currently see it being worth the effort, but I wouldn't mind if somebody else implements it. I guess the parts would be:
- Some flag to auth mechanisms that allow proxying based on their initial SASL response.
- A new auth setting to enable auth proxying for mechanisms that support it.
- If auth proxying is enabled, perform passdb lookup on non-plaintext auth on the initial SASL response. Return "finished" to the auth client with some "mech-proxy=y" extra field, so it knows to start proxying the SASL session to the destination server.
- Implementation of the above for all the mechanisms that support it..
- login-common to support sending the same initial response to the target server and proxying the rest of the authentication. (Possibly somehow integrate this with Dovecot's lib-sasl, but not sure if this is needed/useful.)