On Thu, Apr 17, 2003 at 04:40:00PM +0100, Shri Shrikumar wrote: | On Thu, 2003-04-17 at 14:55, Derrick 'dman' Hudson wrote: | > On Wed, Apr 16, 2003 at 09:21:59PM +0100, Shri Shrikumar wrote: | > | Hi, | > | | > | I am trying to get exim authenticate users before relaying and would | > | like to use PAM. | > | > Do you use shadow passwords? | | Yes. | | > Are you trying to use pam_unix.so (specified in /etc/pam.d/exim)? | | I copied the imap over (courier-imap which works fine) | | > | > | Can anyone who has done this before shed some light on this. | > | > Only root can read the password hash stored in /etc/shadow. exim | > can't. (exim performs the check as EXIM_USER, often named "mail") | | > You have a few options depending on your goals : | > 1) allow the user 'mail' to read /etc/shadow | | How risky is this ? How much do you trust the 'mail' account? If an expoit is found in exim, then a cracker could use that to steal the passwords. If you run something else (say an imap daemon or somesuch) as 'mail' then any exploits in it are a risk as well. If you run any filters (such as procmail) as user 'mail', then anything it does or runs has a potential risk. The reason for shadow passwords in the first place is to prevent everything except root from accessing the password. | Also, what would be the best way to do this ? # chown mail /etc/shadow or # chgrp mail /etc/shadow ; chmod g+r /etc/shadow I'm not sure the second one won't cause other problems. Adding the user 'mail' to the 'shadow' group doesn't work because exim doesn't pick up secondary groups. | > 2) maintain a copy which user 'mail' can read | | Yeah, but this would kind of defeat the purpose since I wanted a | centralised place for usernames and passwords so I wont have to change | things all over the place each time a user is added / deleted. NIS and LDAP are two ways of managing central user info. (of the two I'd choose LDAP since it is current and NIS is aging) | > 3) use a different pam method for authentication | | This is what I do now. I just copied the shadow file, removed all the | irrelevant entries like root and used the standard authentication method | that came with exim. | | Thanks for your response dman, You're welcome. -D -- A Microsoft Certified System Engineer is to information technology as a McDonalds Certified Food Specialist is to the culinary arts. Michael Bacarella commenting on the limited value of certification. http://dman.ddts.net/~dman/
Attachment:
pgpxjYOgstPZQ.pgp
Description: PGP signature