Re: PAM pwcheck method ?


Subject: Re: PAM pwcheck method ?
From: Rob Siemborski (rjs3 at andrew dot cmu dot edu)
Date: Tue May 06 2003 - 12:49:03 EDT


On Tue, 6 May 2003, Etienne Goyer wrote:

> I had been discussing outside the list with Michael Bacon of Duke about
> similar problems he had and he sent me a patch to add PAM as a pwcheck
> method to Cyrus-SASL. The patch applied and compiled without any
> problem. My preliminary test where satisfying; the performance was
> correct and there was no leak or instability that I could find.

If you are able to use PAM successfully, why not just use PAM via
saslauthd?

Duplicating code in saslauthd and in the library is silly, and there is
not reason to swell the library with code that is at a disadvantage if it
is not within a single (or small number) of processes (think LDAP
connection cacheing, for example).

Additionally, often times authentication and password verification needs
to run at a higher privledge level than the rest of the code, and
isolating it into a separate process is a useful security measure.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper







Hosted Email Solutions

Invaluement Anti-Spam DNSBLs



Powered By FreeBSD   Powered By FreeBSD