On 14/02/2007 18:39, Timo Sirainen wrote:
On Wed, 2007-02-14 at 18:27 +0000, John Robinson wrote: [...]
I'm sure I can't be the only person in the world who'd like to be able to handle with/without TLS differently. In fact, this might be of interest to almost anyone with both system and virtual users. Timo?
There was a patch to add '%c' variable to dovecot-auth which would say "TLS" or "SSL" or "". Or something like that. However that couldn't be passed to PAM.
Yea, maybe the disable_plaintext_auth setting could be added inside passdbs. But not before v1.0, so you'll need to figure out another way to do this.
Right, I'm going to have to fudge it myself.
I propose to amend the syntax of the PAM service name in dovecot.conf, and allow a placeholder character at the end of it (probably ?). At runtime, if it's there, I'll either remove it or change it to an 's', varying the service name supplied by dovecot to PAM depending on whether the current connection uses TLS/SSL.
I'm not much of a C programmer, in fact I'm rusty at programming at all, but I'll have a go. In passdb-pam.c:pam_verify_plain(), what can I do to find out whether the current connection is using TLS/SSL? Hopefully this will end up being a 5-line patch and I won't introduce any horrific security hole.
Cheers,
John.