On Wed, 2007-02-14 at 19:17 +0000, John Robinson wrote:
I propose to amend the syntax of the PAM service name in dovecot.conf, and allow a placeholder character at the end of it (probably ?). At runtime, if it's there, I'll either remove it or change it to an 's', varying the service name supplied by dovecot to PAM depending on whether the current connection uses TLS/SSL.
I think I'll add the %c variable and than allow the PAM service name to contain %variables. So you can then use eg. "dovecot%c" as the service name and it expands to "dovecot" / "dovecotsecure" or something.
I'm not much of a C programmer, in fact I'm rusty at programming at all, but I'll have a go. In passdb-pam.c:pam_verify_plain(), what can I do to find out whether the current connection is using TLS/SSL? Hopefully this will end up being a 5-line patch and I won't introduce any horrific security hole.
Hmm. Actually it looks like dovecot-auth doesn't store that information anywhere. I think what you need is:
In auth_request_import() check if key contains "secured". If it does, it's SSL/TLS. Add such bitfield to struct auth_request. Then use it in the PAM code.