Move SXOVER into libsasl2 or libgssapi
Currently, we add the GS2-SXOVER-PLUS
SASL mechanism in an xsasl_*
API that shares the qsasl_*
look. Disadvantages: (1) This only works on Quick SASL programs and (2) it entangles KIP with Quick SASL.
If we add the mechanism as a libsasl2
plugin, which would include recursion as a part of SASL, we would have the mechanism available in all Cyrus-SASL2 applications, including Postfix; not sure about Dovecot which may enforce its own Dovecot SASL, which has limited strength because it stores no state.
If we add the mechanism as a libgssapi
plugin, the choice would be specific to a GSS-API implementation, but MIT krb5 does not seem to be a very confronting choice. It would include applications like OpenSSH, Putty and knc.
The best option seems to be a libgssapi
plugin that wraps Cyrus SASL2:
- It adds SASL functionality to GSS-API protocols (completing the circle, maximum crossover)
- It reaches all SASL implementations that support GS2 through
libgssapi
, includinglibsasl2
applications - It reaches all Quick SASL applications;
xsasl_*
can probably be removed
Spefically interesting is that it supports all of KIP, Postfix, Dovecot?, OpenSSH, Putty, knc, ...