[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secure Relaying -- a start

On Mon, Feb 03, 2003 at 03:09:22AM +0100, Hendrik Sattler wrote:
> will trillich wrote:
> 
> > now if you get PAM to cooperate, let me know.
> > 
> >         plain:
> >                 driver = plaintext
> >                 public_name = BASIC
> >                 # $3 =~ s/:/::/g
> >                 # if pam($2:$3) {yes} else {no}
> >                 server_condition = ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}}
> >                 server_set_id = $2
> > 
> > when i do the interactive tests, it works like a champ; when i
> > try it from a remote client, nothing doing. still working on
> > it...
> 
> For PAM, either run exim daemon as root or search at google for "pam_exim".

looks like andreas added a 'forbid when user <= someval' which
gives it more opportunities to fail. i'm looking to get it to
succeed first, *then* i'll pull back the reins a bit.

:)

> BTW: For plain auth it should be "public_name = PLAIN".

aha. maybe this is significant... <testing, testing...>
well it may be significant, but not for my problem.

	pam:
		driver = plaintext
		public_name = PLAIN
		server_condition = ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}}
		server_set_id = $2

	login:
	   driver = plaintext
	   public_name = LOGIN
	   server_prompts = "Username:: : Password::"
	   server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{/etc/exim/passwd}{$value}{*:*}}}}}{1}{0}}"
	   server_set_id = $2

with "exim -bh 192.168.1.2" this fails:

	auth plain [base64data]
	535 Incorrect authentication data

and this doesn't:

	auth login [same-exact-base64data,same session]
	235 Authentication succeeded

the $1, $2, $3 all are correct, but the expansion (something,
anyhow) never works with pam.

i'll stick with the crypteq for now. (it dislikes me less.)

===

i'm not sure i've got the patience left to apply to TLS or SSL or
tld or asap or fyi or pdq or whatever the hell we're calling it
this month. i fear that if pam outfoxes me, then tls is sure to
unwind my scalp down to the medulla oblongata.

	X <= here's me                   here's encouraging => X

pooh.

maybe later, after i unravel apache-perl vs mod_ssl, and after i
implement a remote backup scheme from scratch, and after i craft
two enterprise database applications from the ground up, and
after i deploy two HTML::Mason websites, all in the sea-of-
microso~1 here in the midwest, i may try securing exim's smtp
stuff again. in august. 2007.

(i know, a day in the life of a sysadmin. but are all sysadmins
in the middle of a technological desert like s.w. indiana?  is
there anybody in the area who'd like to share some info and feel
smart? :)

-- 
I use Debian/GNU Linux version 3.0;
Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown
 
DEBIAN NEWBIE TIP #19 from Dave Sherohman <esper@sherohman.org>
and Will Trillich <will@serensoft.com>
:
How do you determine WHICH NETWORK SERVICES ARE OPEN (active)?
Try "netstat -a | grep LISTEN". To see numeric values (instead
of the common names for services using a particular port) then
try "netstat -na" instead. For more info, look at "man netstat".
   Also try "lsof -i" as root. "man lsof" for details.

Also see http://newbieDoc.sourceForge.net/ ...
Reply to: