[Dovecot] Different classes of user
tss at iki.fi
Wed Feb 14 19:52:31 UTC 2007
On Wed, 2007-02-14 at 19:17 +0000, John Robinson wrote:
> I propose to amend the syntax of the PAM service name in dovecot.conf,
> and allow a placeholder character at the end of it (probably ?). At
> runtime, if it's there, I'll either remove it or change it to an 's',
> varying the service name supplied by dovecot to PAM depending on whether
> the current connection uses TLS/SSL.
I think I'll add the %c variable and than allow the PAM service name to
contain %variables. So you can then use eg. "dovecot%c" as the service
name and it expands to "dovecot" / "dovecotsecure" or something.
> I'm not much of a C programmer, in fact I'm rusty at programming at all,
> but I'll have a go. In passdb-pam.c:pam_verify_plain(), what can I do to
> find out whether the current connection is using TLS/SSL? Hopefully this
> will end up being a 5-line patch and I won't introduce any horrific
> security hole.
Hmm. Actually it looks like dovecot-auth doesn't store that information
anywhere. I think what you need is:
In auth_request_import() check if key contains "secured". If it does,
it's SSL/TLS. Add such bitfield to struct auth_request. Then use it in
the PAM code.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20070214/40964aaa/attachment.pgp
More information about the dovecot