CVM Protocol Version 1 Description
CVM Protocol Version 2 Description
CVM Credential Definitions
CVM Fact Definitions
CVM Version 1 Client Library
CVM Version 2 Client Library
CVM Module Library
CVM SASL Library
CVM Error Values
CVM Design Rationale
The cvm-checkpassword Program
The cvm-testclient Program
The cvm-benchclient Program
The cvm-unix Module
The cvm-pwfile Module
The cvm-vmailmgr Module
The cvm-qmail Module
The cvm-mysql Module
The cvm-pgsql Module
The cvm-chain Module
CVM is a framework for validating a set of credentials against a database using a filter program. The modules act as a filter, taking a set of credentials as input and writing a set of facts as output if those credentials are valid. Optional input is given to the module through environment variables.
Some of the ideas for CVM came from experience with PAM (pluggable authentication modules), the checkpassword interface used by qmail-pop3d, and the "authmod" interface used by Courier IMAP and POP3. This framework places fewer restrictions on the invoking client than checkpassword does, and is much simpler to implement on both sides than PAM and the authmod framework.
CVM modules may be contacted by one of three modes:
Modules may be chained in the client. To do so, specify the list of modules separated by a comma. For example:
The first module to either report success, a temporary failure, or permanent failure with an in-scope result terminates the chain.
CVM modules are invoked using a similar syntax to the above:
If $CVM_LOOKUP_SECRET is set, the module operates in "lookup mode". In this mode, the authentication function provided by the module will not be called. Instead, the module library will handle authentication internally, before the lookup happens. If the secret is empty, the module will expect no credentials to be passed to the module, otherwise one must be passed and it must match the secret.