On Thu, 19 Sep 2002, GOMBAS Gabor wrote: > On Thu, Sep 19, 2002 at 02:29:24AM -0700, David Wright wrote: > > > It's true, there isn't a need, meaning Cyrus could have been designed to > > use PAM directly as a security layer and not used SASL. > > Huh? PAM is not a security layer. It is an API designed for local > authentication only. On the other hand, SASL is a _protocol_ designed > for remote client-server authentication, encryption and integrity > protection. There is _no_ relation between SASL and PAM. Of course you > can use PAM to implement the PLAIN SASL authentication method, and it is > also possible that some PAM module might use SASL to talk to a remote > authentication service, but these are implementation details.
David would have been more correct if he had said libsasl, which does provide *some* PAM-like functionality, namely the ability to verify plaintext passwords outside of the context of a SASL negotiation. A long while ago the decision was made to break all authentication-related code out into libsasl. This was done so that we would only have to maintain one copy of the code, regardless of how the system was configured. I'd hate to see the disaster of misconfigurations we would have right now if you had to worry about if Cyrus was handling authentication or if libsasl was. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
