On Tue, 11 Mar 2003, Andreas Aardal Hanssen wrote:
> >Switching to stdin and abandoning the checkpassword protocol is fine,
> >but doing so means that we cut ourselves off from every one of the
> >dozens of checkpassword implementations available right now.
>
> No! I think you totally misunderstand.
>
> Binc launches bincimap-auth-checkpassword.
> Binc talks to bincimap-auth-checkpassword.
> bincimap-auth-checkpassword talks to checkpassword.
>
> We are _not_ changing bincimap-auth-checkpassword!
>
> Binc currently uses the environment variables BINC_USERID and BINC_PASSWD
> to talk to its authenticator. bincimap-auth-checkpassword is an
> authenticator that also functions as a stub for checkpassword.
>
> We are removing the environment communication and replacing it with
> netstrings - and we will use stdin and stdout for this. So instead of used
> BINC_USERID and BINC_PASSWD, we will use
>
> 7:andreas,8:password,
>
> And Binc will write this to it's authenticator's stdin. That's all.
I'm still mystified as to why all this extra (relatively) complex code
exists.
The qmail-popup/qmail-pop3d model, which is cited as an inspiration for
bincimapd, uses two separate programs to provide the POP3 service.
qmail-pop handles the pre-authentication part of the protocol, and
qmail-pop3d handles only the post-authentication part of the protocol.
This design is simple, reliable and secure. I don't have the same
confidence that the new bincimap design has these characteristics.
One of the reasons that I am here, and I doubt that I am alone, is
mistrust of Mr Sam's "I must reinvent every wheel" approach. I doubt that
we'll see that here, I am a little uneasy.
Andreas, are you wedded to the current authentication scheme? Or might you
be convinced to have the authenticator spawn bincimapd rather than the
other way around.
[As I mentioned earlier, Bruce Guenter already has a pre-authentication
imap protocol handler - imapfront-auth from the mailfront package. One
would execute imapd using checkpassword as the authenticator using:
/var/qmail/bin/imapfront-auth \
cvm-checkpassword cvm-unix \
/opt/bincimap/bin/bincimapd
]
--
Charlie
