> The following is all hypothetical. I'm curious about how people > think auth(2)/factotum(4) could be adapted to support the use > case ... > > factotum was intended to handle the authentication dance on behalf > of network apps. But in the case of things like IMAP, it really > just stores the client's login/password, and provides a bit of > helper glue for CRAM-MD5. Similarly for ftpfs. > > I'm curious why upasfs and ftpfs are outliers in only using factotum > as a credential store, but leaving the actual authentication protocol > dance in the clients/servers. The "Security" paper (/sys/doc/auth) > strongly hints that these parts of the application protocols were > meant to be outsourced to factotum. Section 2.2 in particular > argues that the auth modules should be implemented once in factotum, > for consumption by the rest of the system.
Probably simple expediency. > <snip> > > To require a specific SASL mechanism, add "sasl=scram-md5" (using > "sasl=*" as a default if you need to fall back for some reason). This all sounds fairly reasonable. I think that patches to this effect would be worth integrating. > Of course all of this needs to be glued into auth(2) in a way that > doesn't destroy the existing API. But it does need to handle > factotum replacing the underlying connection to the client/server > with one that has been pushtls()ed by factotum itself. I'm not sure how factotum can have this action at a distance. I think the pushtls is stuck in the client itself -- though, the auth code can probably return the parameters needed for this. ------------------------------------------ 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/T8154f8e7b95f1a8c-M16c4ed9e42454938bd4e69b7 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
