Timo Sirainen tss@iki.fi writes:
Not easily. PAM lookups are done by dovecot-auth process, which is completely different from the eventual imap/pop3 process.
Yes, I know... I find that most unfortunate. This design creates security problems when the machine where the files are stored does not unconditionally trust the machine running dovecot (as, for example, in NFS).
In particular, I'm trying to use dovecot with pam_krb5 (which associates a ticket cache to a specific pid) and pam_afs_session (which associates tokens to a specific process authentication group -- roughly equivalent to a process and all its descendents).
Is it possible to authenticate first in one process and then do pam_setcred() in another?
Only if one process is a parent of the other (or a parent of a parent, etc). Or if they have a common parent which is unique to the connection (ie their common parent is not the parent of any other auth processes or connection-handling processes).
When dovecot is used in the mode where it forks a new authentication process for every connection, is the authentication process a child of the process which handles the rest of the connection, or vice versa? Or neither?
Thanks,
- a