On 25 Feb 2015, at 20:59, Peter Mogensen <[email protected]> wrote: > So, why not just extend the support for proxy authentication forwarding > to any single-handskake SASL-IR mechanism, which doesn't use > channel-binding? (which includes PLAIN, but also GS2-KRB5, and possibly > others).
Yeah, I guess it would work for several of the auth mechanisms. It's a lot of work though and requires some larger changes to how authentication works. I don't currently see it being worth the effort, but I wouldn't mind if somebody else implements it. I guess the parts would be: - Some flag to auth mechanisms that allow proxying based on their initial SASL response. - A new auth setting to enable auth proxying for mechanisms that support it. - If auth proxying is enabled, perform passdb lookup on non-plaintext auth on the initial SASL response. Return "finished" to the auth client with some "mech-proxy=y" extra field, so it knows to start proxying the SASL session to the destination server. - Implementation of the above for all the mechanisms that support it.. - login-common to support sending the same initial response to the target server and proxying the rest of the authentication. (Possibly somehow integrate this with Dovecot's lib-sasl, but not sure if this is needed/useful.)
