The spa authenticator provides client support for Microsoft's Secure Password Authentication mechanism. It does not provide server support for this mechanism. The code for this authenticator was contributed by Marc Prud'hommeaux, and much of it is taken from the Samba project (http://www.samba.org).
The mechanism works as follows:
After the AUTH command has been accepted, the client sends an SPA authentication request based on the user name and optional domain.
The server sends back a challenge.
The client builds a challenge response which makes use of the user's password and sends it to the server, which then accepts or rejects it.
Encryption is used to protect the password in transit.
This authenticator has the following client options:
This option specifies an optional domain for the authentication.
This option specifies the user's password, and must be set.
This option specifies the user name, and must be set.
Here is an example of a configuration of this authenticator for use with the mail servers at msn.com:
msn: driver = spa public_name = MSN client_username = msn/msn_username client_password = msn_plaintext_password client_domain = DOMAIN_OR_UNSET