On Fri, 17 Jun 2005, Mark Brand wrote:
[snip..]
> Thanks for the explanation. Maybe I can formulate a sensible question
> now. I would like advice about how to do the following:
>
> -use PAM to check usernames and passwords
> -negotiate passwords securely
> -negotiate authentication without letting snoops steal passwords (Isn't
> this the same as the last point?
> -avoid having to encrypt the the whole session (imaps)
secure authentication negotiation and secure password negotiation are
NOT necessarily the same thing. For example, a system using GSSAPI
(with Kerberos-V) does not have to deal with passwords at all.
There is a security server (Kerberos-KDC) who is the 'keeper of the keys'
and your mail server is just an authentication "customer" of that
security server. IE your mail server says "hey this user claims to
be 'bill' and has provided me credentials to back up that claim.
Mr security server, please help me validate these creds so I can
know if that claim is believable"
(details are a bit more involved, but you get the picture).
Authentication is the process of validating somebody's identity
claim, passwords are just one possible way to do it.
If the authentication method is secure then you don't have to encrypt
the whole session (unless you care about protecting the privacy of
your client's e-mail reading from eavesdroppers ;).
CRAM-MD5, GSSAPI, & SRP are examples of secure authentication methods.
> Cyrus SASL with SSL/TLS is widely used for client authentication by
> postfix. I think I'm looking for how to do this with imapd.
"SSL/TLS" is a mechanism to provide a secure communications channel,
it has nothing to do with authentication. However it does make it possible
to use an insecure authentication method (such as clear text passwords)
safely. (which is why you often hear "SSL/TLS" mentioned when talking
about authentication).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
_______________________________________________
Imap-uw mailing list
[email protected]
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
