Hi, From: "Jason R. Mastaler" Subject: Re: tmda-ofmipd: patch for imap[s] and pop3 remote auth Date: Tue, 03 Sep 2002 17:41:42 -0600
> [EMAIL PROTECTED] writes: > > > I'm trying to understand how it's supposed to work and am struggling > > a bit -- is the basic idea for the new tmda-ofmipd to query anoother > > service to authenticate a user (i.e. pass through user/auth info to > > a relevant service and act based on the response)? > > Correct. Thanks for the clarification. > > If so, I guess it's unlikely to work w/ something like APOP because of > > the challenge string. > > I think it can be made to work with APOP. Python's poplib contains an > `apop' method. From the docs: > > apop(user, secret) > Use the more secure APOP authentication to log into the POP3 server > > So, the user would just send tmda-ofmipd his apop username and secret > to authenticate rather than his username and plain text password. > > Make sense? Hmmm, not sure actually. IIUC, in APOP what is sent to the server is computed based on hashing a concatenation of the user's password and a one-time challenge string generated by the pop server. For the user to send tmda-ofmipd this hashed value, doesn't the user need to have access to the one-time challenge string from the pop server? I suppose it's possible for tmda-ofmipd to talk to the pop server to obtain the challenge string, leave the connection open, and pass this string on to the client -- I'm fuzzy on how the user's client knows to do APOP authentication -- receive the appropriate response from the client, and then pass the result back to the pop server. I don't get the feeling that this will work because it doesn't seem like the user's client would know how to handle this. I suppose an alternative might be for the user's client to send the password in plaintext to tmda-ofmipd and for tmda-ofmipd to compute the hashed value (though I think it defeats the purpose of using APOP if the connection is unencrypted...). I feel like I'm confused here... (-; _________________________________________________ tmda-workers mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-workers
