Jeremy Howard wrote:
>
> Ken Murchison wrote:
> > Now that I think about it, what's the difference? The pwcheck
> > capability is not going away, so anything you have already written will
> > still work. With saslauthd, the daemon itself speaks the protocol, NOT
> > the backend mechanism. As long as the API for mechanisms doesn't change
> > (which it will/has in the SASL v2 code), we should be able to change the
> > protocol all day long without breaking the "plug-in" code.
> >
> Sorry if I displaying ignorance here, but I was under the impression that
> saslauthd is simply a daemon that _does_ use the pwcheck API, except that
> the SASL configure script happens to set it up to use a different Unix
> socket to normal. So if saslauthd is using char-counted strings (which I now
> understand from Lyndon's message may reduce security problems) then the
> pwcheck interface must be changed to use these strings. Which means that
> daemons already written will have to be changed to use the new string
> format.
Disclaimer: I have never used/implemented pwcheck, so please verify what
I say, and corretc me if necessary.
If by API, you mean the wire-protocol, then pwcheck and saslauthd _used_
to be the same, but I don't consider that an API. AFAIK, pwcheck
doesn't have an API, where saslauthd does (even though the guts of both
is very similar).
To illustrate the difference, consider the example of authenticating
against LDAP.
For pwcheck, you need to write an entire daemon -- one which speaks the
wire protocol over a UNIX socket, grabs the username and password,
verifies them against an LDAP server and sends the response string back
over the socket.
For saslauthd, all you need to write is a single function which takes
the username, password, service and realm as args, verifies against the
LDAP server and returns a response string. saslauthd has a "plug-in"
interface which can be used to add any mechanism to those already
existing in saslauthd. The biggest difference is that implementers to
NOT have to worry about the wire-protocol.
Ken
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
