David Guerizec <[EMAIL PROTECTED]> writes: >> Remove CRAM-MD5 from the published SASL types if using the >> `--authprog' or `--remoteauth' options.
[...] > Actually this is wrong in the current implementation, cause you may > want to keep CRAM-MD5 if you want some users to authenticate against > /etc/tofmipd, while some others authenticate against -R ldap or -A > chkpasswd. But the issue is that many MUAs will automatically choose CRAM-MD5 if it's advertised, and don't allow the option of explicitly specifying LOGIN or PLAIN. This means that those MUAs will never be able to do remote authentication. This will require the use of an /etc/tofmipd file, which I don't think I'm comfortable with. As Tim mentioned, hybrid authentication schemes should be rare. However, one would still be able to do this, they'd just lose the ability to do CRAM-MD5 against the /etc/tofmipd file. In this case, they should just setup an stunnel or ssh tunnel to insure passwords aren't sent in the clear over the wire. So in summary, how about we leave my patch in, and add the --fallback/-F option to check /etc/tofmipd after -R or -A authentication has failed? The default behavior would be to ignore /etc/tofmipd if using -R or -A. _________________________________________________ tmda-workers mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-workers
