Ken Murchison wrote: >Quoting Eric Estabrooks <[EMAIL PROTECTED]>: > > > >> >> >>> >>> >>It should be possible to write a pam module (or extend an existing one) >>to include other mechanisms beside plain, if like you said you had plain >> >> > >My understanding of PAM is that you can't retrieve the password. You simply >pass it a user, password and service and PAM tells you whether it is >correct/allowed or not. I haven't checked the PAM API, so maybe there is a >way. >
There isn't as far as I know, you can do it by perverting the messaging interface, but that would be bad. > > >>text passwords available on the server side. Of course there might be >>an additional restriction imposed by the sasl interface in that it might >>only present plain to the pam interface or the likes of saslauthd and >>try to resolve others internally or drop them if configured for using pam. >> >> > >Assuming that youy can get PAM to return the plaintext password, you'd have to >write a PAM auxprop plugin. SASL only uses auxprop to fetch the plaintext >passwords (as opposed to checking the validity, which it does via saslauthd). > > Ah, I was looking at it from the other side thinking saslauthd would pass in the base64 encoded challenge response from cram and the pam module would still do a success/fail response by replicating the hmac functionality internally. Eric > >
smime.p7s
Description: S/MIME Cryptographic Signature
