On 08/02/2007 14:44, Philip Hazel wrote:
> On Thu, 8 Feb 2007, John Robinson wrote:
>> I can't advertise authentication only to people who've started TLS, so I
>> guess I need to fail authentication to my shell users whatever password
>> they give if they haven't started TLS. I can see some horrible mess
>> coming along with my authenticators' server_condition - either trying to
>> do lookups of the user's shell in /etc/shells, or looking up the user in
>> two different places.
[...]
> Reject the AUTH command when you don't want it rather than later in
> server_condition.
I'm not sure I can, or I'm misunderstanding you. I think I have to allow
AUTH attempts from anyone, anywhere, and it's not until the
authenticators run that I can extract and examine the user details to
discover whether it's one of my insecure, untrusted users (who I can
then check the password for and potentially grant access to, without
bothering whether they're using TLS) or one of my secure-only shell
users (who I want to reject if they're not using TLS, or check the
password for if they are).
I suppose my condition is
if (pam auth ok) and
((tls) or (user's shell not listed in /etc/shells))
Maybe that's not so awful. But if I wanted to return a 538 (tls
required) response instead of 535 (auth failed), I'm going to have to do
something in the ACL. Testing times coming up :-)
Cheers,
John.
