On Sat, 2002-12-14 at 00:10, Jesse Guardiani wrote:
> So, I simply removed the 'cram-md5' string in the capability
> announcement line.
>
> Is there a better way to disable this? Perhaps a config flag?
Can you try the attached patch, then restarting your tmda-ofmipd with
the -n option ?
If it's ok, I'll commit it in the main branch, so you won't have to
patch it at each new version.
David
PS: if you receive this message, then at least it works for me ;)
Index: tmda-ofmipd
===================================================================
RCS file: /cvsroot/tmda/tmda/bin/tmda-ofmipd,v
retrieving revision 1.18
diff -u -r1.18 tmda-ofmipd
--- tmda-ofmipd 21 Nov 2002 21:13:29 -0000 1.18
+++ tmda-ofmipd 13 Dec 2002 23:43:53 -0000
@@ -36,34 +36,34 @@
-V
--version
- Print TMDA version information and exit.
+ Print TMDA version information and exit.
-d
--debug
- Turn on debugging prints.
+ Turn on debugging prints.
-u <username>
--username <username>
- The username that this program should run under. The default
- is to run as the user who starts the program unless that is
- root, in which case an attempt to seteuid user `tofmipd' will be
- made. Use this option to override these defaults.
+ The username that this program should run under. The default
+ is to run as the user who starts the program unless that is
+ root, in which case an attempt to seteuid user `tofmipd' will be
+ made. Use this option to override these defaults.
-p <host:port>
--proxyport <host:port>
- The host:port to listen for incoming connections on. The
- default is FQDN:8025 (i.e, port 8025 on the fully qualified
- domain name for the local host).
+ The host:port to listen for incoming connections on. The
+ default is FQDN:8025 (i.e, port 8025 on the fully qualified
+ domain name for the local host).
-R proto[://host[:port]]
--remoteauth proto[://host[:port]][/dn]
Host to connect to to check username and password.
- proto can be one of the following:
- `imap' (IMAP4 server)
- 'imaps' (IMAP4 server over SSL)
- `pop3' (POP3 server)
- `apop' (POP3 server with APOP authentication)
- `ldap' (LDAP server)
+ `imap' (IMAP4 server)
+ 'imaps' (IMAP4 server over SSL)
+ `pop3' (POP3 server)
+ `apop' (POP3 server with APOP authentication)
+ `ldap' (LDAP server)
- host defaults to localhost
- port defaults to 143 (imap), 993 (imaps), 110 (pop3/apop), 389 (ldap)
- dn is mandatory for ldap and should contain a `%%s' identifying
@@ -76,8 +76,8 @@
--authprog <program>
checkpassword compatible command used to check username/password. e.g,
`-A /usr/sbin/checkpassword-pam -s id --stdin -- /bin/true'
- The program must be able to receive the username/password pair
- on its stdin, and in the following format:
+ The program must be able to receive the username/password pair
+ on its stdin, and in the following format:
`username\\0password\\0'
-a <file>
@@ -87,6 +87,15 @@
root/tofmipd, otherwise ~user/.tmda/tofmipd. Use this option
to override these defaults.
+ -n
+ --nofallback
+ Use only the specified authentication method, do not fall back
+ to file authentification (/etc/tofmipd or -a argument).
+ If more than one method is given, priority order is:
+ - remoteauth (-R)
+ - authprog (-A)
+ - file (-a)
+
-C <n>
--connections <n>
Do not handle more than n simultaneous connections. If there
@@ -132,6 +141,7 @@
program = sys.argv[0]
configdir = None
authprog = None
+nofallback = None
remoteauth = { 'proto': None,
'host': 'localhost',
'port': None,
@@ -191,11 +201,12 @@
try:
opts, args = getopt.getopt(sys.argv[1:],
- 'p:u:R:A:a:c:C:dVh', ['proxyport=',
+ 'p:u:a:R:A:nc:C:dVh', ['proxyport=',
'username=',
'authfile=',
'remoteauth=',
'authprog=',
+ 'nofallback=',
'configdir=',
'connections=',
'debug',
@@ -216,9 +227,11 @@
elif opt in ('-d', '--debug'):
DEBUGSTREAM = sys.stderr
elif opt in ('-p', '--proxyport'):
- proxyport = arg
+ proxyport = arg
+ elif opt in ('-n', '--nofallback'):
+ nofallback = 1
elif opt in ('-u', '--username'):
- username = arg
+ username = arg
elif opt in ('-R', '--remoteauth'):
# arg is like: imap://host:port
try:
@@ -250,13 +263,13 @@
remoteauth['port'], remoteauth['dn'])
remoteauth['enable'] = 1
elif opt in ('-A', '--authprog'):
- authprog = arg
+ authprog = arg
elif opt in ('-a', '--authfile'):
- authfile = arg
+ authfile = arg
elif opt in ('-c', '--configdir'):
- configdir = arg
+ configdir = arg
elif opt in ('-C', '--connections'):
- connections = arg
+ connections = arg
import asynchat
@@ -494,7 +507,11 @@
self.__auth_username = None
self.__auth_password = None
self.__auth_sasl = None
- self.__sasl_types = ['login', 'cram-md5', 'plain']
+ if nofallback and (remoteauth['enable'] or authprog):
+ # CRAM-MD5 does not work with remote login or authprog
+ self.__sasl_types = ['login', 'plain']
+ else:
+ self.__sasl_types = ['login', 'cram-md5', 'plain']
self.__auth_cram_md5_ticket = '<%s.%s@%s>' % (random.randrange(10000),
int(time.time()), FQDN)
self.__server = server
@@ -535,11 +552,15 @@
# Try first with the remote auth
if run_remoteauth(username, password):
return 1
+ if nofallback:
+ return 0
if authprog:
# Then with the authprog
if run_authprog(username, password) == 0:
return 1
- # Now we can fall back on the authfile
+ if nofallback:
+ return 0
+ # Now we can fall back on the authfile
authdict = authfile2dict(authfile)
if authdict.get(username.lower(), 0) != password:
return 0
@@ -562,11 +583,15 @@
# Try first with the remote auth
if run_remoteauth(username, password):
return 1
+ if nofallback:
+ return 0
if authprog:
# Then with the authprog
if run_authprog(username, password) == 0:
return 1
- # Now we can fall back on the authfile
+ if nofallback:
+ return 0
+ # Now we can fall back on the authfile
authdict = authfile2dict(authfile)
if authdict.get(username.lower(), 0) != password:
return 0
