[Standards] Loopback Authentication

Ralph Meijer jabber.org at ralphm.ik.nu
Thu Feb 1 09:03:32 UTC 2007


On Wed, 2007-01-31 at 18:48 -0800, Justin Karneges wrote:
> [..]
>
> Unfortunately, there is no clean cross-platform solution for this kind of 
> thing.  Depending on how many platforms we'd want loopback authentication to 
> work on, we could end up with 3 or 4 mechanisms.  Do we want to make a 
> handful of new SASL mechanisms? (putting loopback auth on the level of SASL) 
> Or would it be better to design our own loopback handshake protocol and then 
> always follow-up with SASL EXTERNAL? (putting loopback auth on the level of 
> starttls).

If your method of authentication requires no additional information to
be exchanged in the SASL negotiation besides an optional authorization
identity, you should use SASL EXTERNAL.

Taking the /proc/net/tcp example, if you read XEP-0178, then replace
'certificate checking' with checking the UID of the TCP socket and
finding a matching user account. Usually the UID maps to one JID, so you
use an empty authorization identity. If you have several different
accounts to choose from, you can send the selected account as the
authorization identity.

In all other cases, devise a new SASL mechanism.

-- 
Groetjes,

ralphm




More information about the Standards mailing list