[Dovecot] checkpassword protocol
Timo Sirainen
tss at iki.fi
Mon Apr 8 00:32:52 EEST 2013
On 7.4.2013, at 14.30, dovecot.pkoch at dfgh.net wrote:
> I'm writing a checkpassword script in order to support our OTP token
> as a fallback for client certificate authentication. Here are two
> questions:
>
> 1) It seems to me that the username and the password will be
> delivered to my script both on file descriptor 3 and via the
> environment variables AUTH_USER and AUTH_PASSWORD.
> May I ignore file descriptor 3 and use the environment variables
> or may it happen that these variables will have differnet content
> from what is sent via fd 3?
Hmm. The AUTH_PASSWORD wasn't really an intentional addition .. but I guess it can stay there. Some 10 years ago that might not have been such a good idea since there were still some systems where process environment variables were readable to all users in the system, but I doubt there exist such systems anymore (at least where people would want to run Dovecot).
> 2) There seems to be some undocumented interaction between
> dovecot and my script via file descriptor 4. Seems that whatever
> I write to fd 4 will show up in syslog (unless it contains newlines).
> Can I use this "feature" to send error messages from my script
> to dovecot? What data does dovecot expect on fd 4?
I'm not sure why that happens instead of a complete failure .. but you shouldn't be doing that. If you write to fd 2, it should also go to syslog, right? (If it doesn't, it's a bug.)
More information about the dovecot
mailing list