[Dovecot] SSL Certifcates
Timo Sirainen
tss at iki.fi
Thu Aug 7 23:35:52 EEST 2008
On Aug 7, 2008, at 5:33 PM, Stephen Feyrer wrote:
> Timo Sirainen wrote:
>> On Aug 7, 2008, at 2:49 PM, Stephen Feyrer wrote:
>>> Hi anyone.
>>>
>>> Can dovecot be configured to authenticate user using only SSL
>>> Certificates only and not ask for a password.
>>>
>>> So far I've got it taking the username from the common name of the
>>> certificate but I like it to use the certificate in place of the
>>> password.
>>>
>>> Is this possible and how?
>> If you're that far, then you're already authenticating the user
>> against the certificate. Or assuming you have
>> ssl_require_client_cert=yes. Then just create a passdb that accepts
>> any password as valid for the user (nopassword=yes extra field).
>> In theory there's also this EXTERNAL SASL mechanism that could be
>> used to log in without user/pass, but Dovecot doesn't currrently
>> support that and I'm not aware of any clients supporting it either.
>
> Hi Timo.
>
> I have authenticating user against the certificate as you say and do
> have ssl_require_client_cert=yes.
>
> I'm using PAM to authenticate against my user database at the
> moment. I'm still baffled... :)
If you only want to allow users to log in with certificates, then just
change the PAM configuration file to be something like (not tested,
and my PAM knowledge isn't too good):
auth required pam_allow.so
Although it would be nice to be able to verify that the user still
exists, but you could do that with certificate revocation lists also..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080807/e868fbe5/attachment.bin
More information about the dovecot
mailing list