[Dovecot] Different classes of user

[John Robinson]

On 14/02/2007 18:39, Timo Sirainen wrote:
> On Wed, 2007-02-14 at 18:27 +0000, John Robinson wrote:
[...]
>> I'm sure I can't be the only person in the world who'd like to be
>> able 
>> to handle with/without TLS differently. In fact, this might be of 
>> interest to almost anyone with both system and virtual users. Timo? 
> 
> There was a patch to add '%c' variable to dovecot-auth which would say
> "TLS" or "SSL" or "". Or something like that. However that couldn't be
> passed to PAM.
> 
> Yea, maybe the disable_plaintext_auth setting could be added inside
> passdbs. But not before v1.0, so you'll need to figure out another way
> to do this.

Right, I'm going to have to fudge it myself.

I propose to amend the syntax of the PAM service name in dovecot.conf, 
and allow a placeholder character at the end of it (probably ?). At 
runtime, if it's there, I'll either remove it or change it to an 's', 
varying the service name supplied by dovecot to PAM depending on whether 
the current connection uses TLS/SSL.

I'm not much of a C programmer, in fact I'm rusty at programming at all, 
but I'll have a go. In passdb-pam.c:pam_verify_plain(), what can I do to 
find out whether the current connection is using TLS/SSL? Hopefully this 
will end up being a 5-line patch and I won't introduce any horrific 
security hole.

Cheers,

John.