On 17.5.2004, at 13:11, Johannes Berg wrote:
Looking at the code I see that you support cyrus SASL, and cyrus SASL in turn supports OTP even using the same database as OPIE uses. Would there be and disadvantage in simply using that?
Personally I have never liked Cyrus SASL. It's always been annoyingly difficult to configure to work like I wanted.
The code there to support it isn't actually working right now, but I guess it wouldn't be too difficult to fix it.
I guess there aren't any real disadvangates though.
Alternatively, what about just libopie (the library behind opie-pam)?
That doesn't look very good code .. Looks like if it was possible for user to set wanted seed there would be several buffer overflows. But I guess normally it's not?
Over all, its not hard to implement this in dovecot itself, but I'm not sure that would be the best idea. What is your opinion on that?
The reason why I implemented my own authentication instead of just using Cyrus SASL was that I wanted to be sure there were not going to be any serious security holes. I could have just audited the code, make sure the found security holes were fixed (actually did both once), and then just use it. But that doesn't give any guarantees about it's future versions, I'd have to constantly keep auditing the new versions to make sure they hadn't added more bugs.
Anyway, it's OTP code didn't look bad. That would be the easiest way to get it working.