Re: Exim authentication

To: debian-user@lists.debian.org
Subject: Re: Exim authentication
From: Vineet Kumar <debian-user@virtual.doorstop.net>
Date: Fri, 21 Jun 2002 11:56:00 -0700
Message-id: <[🔎] 20020621185600.GA341@doorstop.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20020621091822.15254.qmail@web11107.mail.yahoo.com>
References: <[🔎] 20020621015622.GA20327@dman.ddts.net> <[🔎] 20020621091822.15254.qmail@web11107.mail.yahoo.com>

* Mike Mimic (ppagee@yahoo.com) [020621 02:18]:
> I have used:
> 
> plain:
>   driver = plaintext
>   public_name = PLAIN
>   server_condition = "${if pam{$2:$3}{1}{0}}"
>   server_set_id = $2

my plain authenticator looks identical to the above, but my login is
different from the one below.

> login:
>   driver = plaintext
>   public_name = LOGIN
>   server_prompts = "Username:: : Password::"
>   server_condition = "${if pam{$2:$3}{1}{0}}"
>   server_set_id = $2

Mine looks like this:

login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:::Password::"
  server_condition = ${if pam {$1:${sg{$2}{:}{::}}}{yes}{no}}
  server_set_id = $1

The sg bit is to double any colons in the password string (s/:/::/g).
That's just a quoting thing. The main difference I see is that you're
calling to pam with $2 and $3, where I'm using $1 and $2 (and
server_set_id = $1).


> as is written in Exim specifications. And I use
> MIME encoded '\0user\0password' (\0 are NULL).
> 
> Is this correct? Will mail clients use such line
> too?

Unfortunately, we can't count on client mailers to go by "the standard"
in this case, especially when the client uses MS mailers. Your best bet
for testing is to test with the mailers your clients will be using.

I believe you're on the right track for testing, though; you just need
to base64 encode "\0user\0password". Trying it with exim -d9 will let
you know if exim is interpreting the username and password as you expect
it should be.

> > 2) Is linux a system that requires root access to
> use
> > PAM?
> 
> As Vineet Kumar said it is.

Well, actually I said just the opposite: it can be done on linux without
running as root, but I think you understood that to be what I meant,
just said it wrong.

> So what is wrong? As I see exim uses correct strings
> for username and password and use PAM which returns
> that password isn't correct.

Still not sure exactly what's going wrong. Here's my pam.d/exim:

# PAM configurtion file for exim smtp auth

auth       required     /lib/security/pam_pwdfile.so pwdfile /etc/imap.passwd
account    required     /lib/security/pam_permit.so

That authenticates against a username:crypted_password file instead of
the regular unix authentication. This enables my imap users to relay
through the machine (and they don't have shell accounts).

I don't think you should need a session group in your pam file for smtp
auth, and I just use pam_permit for account since I manage the password
file manually. (Otherwise you could use pam_unix for auth and something
else for account to control whether the user should be allowed to use
exim for smtp auth).

I hope that helps. If not, I can post more details about why it's set up
the way it is -- just ask.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"[T]he ad skips.... It's theft....  Any time you skip a commercial...
you're actually stealing the programming." - Turner CEO Jamie Kellner
Is fair use dead?   Help the EFF help you!   http://www.eff.org/

Attachment: pgpdKVQfN3Ct1.pgp
Description: PGP signature

Reply to:

References:
- Re: Exim authentication
  - From: Derrick 'dman' Hudson <dman@dman.ddts.net>
- Re: Exim authentication
  - From: Mike Mimic <ppagee@yahoo.com>

Prev by Date: Re: digital camera recommendation?
Next by Date: Re: Where can I get a standard /etc/group file ?
Previous by thread: Re: Exim authentication
Next by thread: Re: Exim authentication
Index(es):
- Date
- Thread