* Toens Bueker said: > Marek Habersack <grendel@vip.net.pl> wrote: > > > > This is Cyrus 1.5.x BTW, not 1.6 (1.6 needs the SASL stuff which > > > seems to be very broken in places). Sadly 1.5.x doesn't support > > > PAM (but 1.6 does and when it's stable, I'll package it). > > SASL is a PITA - the pwcheck stuff doesn't work without much tweaking, I > > didn't even got PAM to work - it refuses to authenticate when cyrus runs > > with the 'cyrus' user's ID, and cyrus refuses to run as root. The sasldb > > auth doesn't work as well. > > Could you elaborate on this? Of course. I have set up a virtual server in a chrooted tree. The server is supposed to host accounts which can be accessed only from specific places and only using IMAP. Now, I tried to setup cyrus + SASL to use the PAM authentication but alas, PAM only refuses to authenticate the logged in user, because of "authentication failure; (uid=999) -> someuser for imap service". At first I thought the problem lies somewhere in a way which the chrooted PAM libraries look for the user's authentication data, but other PAMified services, like POP3 server, work flawlessly - as long as they run initially as root. When cyrus is configured (by setting the SUID bit) to run as root, it refuses to start because "cyrus cannot run as root" - which is a good security measure unless it prevents the daemon from working... Now, I don't know what to lay the blame on - is it Cyrus or is it PAM that needs fixing? Either way, I decided to drop PAM and started to test other authentication possibilities using SASL - sasldb (didn't work - despite the existence of the sasldb database file the library refused to authenticate the user), then pwcheck daemon (it didn't compile at all - seems the source is unmaintained. I had to edit the sources of both Makefiles and the program itself to make it compile and link. Nevertheless, the effort was futile - the pwcheck-based authentication also doesn't work). I decided to give up and look at some other imapd server - namely Courier which compiles without problems, and seems to run ok (testing it right now) - not to mention it's GPL-ed. Ah, another note about imapd servers - the UW imapd refused to run in a chroot jail as well... > We run Cyrus 1.6.13 with sasl-5.1.0, libpam-0.69 and My versions are, respectively, 1.6.19, 1.5.11, 0.71 > shadow-password. The only problem seems to be 'feedcyrus', > which we cannot get to cooperate. Everything else works > fine. Actually we didn't have to tweak anything. I can get cyrus as far as it comes to authentication... Which is not very useful... > This is on a potato-machine. As well marek
Attachment:
pgpi9Lw8aUJcC.pgp
Description: PGP signature