Re: exim with login authentication using pam

To: debian-user@lists.debian.org
Subject: Re: exim with login authentication using pam
From: Derrick 'dman' Hudson <dman@dman.ddts.net>
Date: Thu, 17 Apr 2003 16:19:30 -0400
Message-id: <[🔎] 20030417201930.GB2902@dman.ddts.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 1050594000.861.21.camel@VISHNU.INTERNAL>
References: <[🔎] 1050520509.1638.184.camel@VISHNU.INTERNAL> <[🔎] 20030417135543.GB27574@dman.ddts.net> <[🔎] 1050594000.861.21.camel@VISHNU.INTERNAL>

On Thu, Apr 17, 2003 at 04:40:00PM +0100, Shri Shrikumar wrote:
| On Thu, 2003-04-17 at 14:55, Derrick 'dman' Hudson wrote:
| > On Wed, Apr 16, 2003 at 09:21:59PM +0100, Shri Shrikumar wrote:
| > | Hi,
| > | 
| > | I am trying to get exim authenticate users before relaying and would
| > | like to use PAM.
| > 
| > Do you use shadow passwords?
| 
| Yes.
| 
| > Are you trying to use pam_unix.so (specified in /etc/pam.d/exim)?
| 
| I copied the imap over (courier-imap which works fine)
| 
| > 
| > | Can anyone who has done this before shed some light on this.
| > 
| > Only root can read the password hash stored in /etc/shadow.  exim
| > can't.  (exim performs the check as EXIM_USER, often named "mail")
| 
| > You have a few options depending on your goals :
| >     1)  allow the user 'mail' to read /etc/shadow
| 
| How risky is this ?

How much do you trust the 'mail' account?  If an expoit is found in
exim, then a cracker could use that to steal the passwords.  If you
run something else (say an imap daemon or somesuch) as 'mail' then any
exploits in it are a risk as well.  If you run any filters (such as
procmail) as user 'mail', then anything it does or runs has a
potential risk.  The reason for shadow passwords in the first place is
to prevent everything except root from accessing the password.

| Also, what would be the best way to do this ?

# chown mail /etc/shadow
    or
# chgrp mail /etc/shadow ; chmod g+r /etc/shadow

I'm not sure the second one won't cause other problems.  

Adding the user 'mail' to the 'shadow' group doesn't work because exim
doesn't pick up secondary groups.

| >     2)  maintain a copy which user 'mail' can read
| 
| Yeah, but this would kind of defeat the purpose since I wanted a
| centralised place for usernames and passwords so I wont have to change
| things all over the place each time a user is added / deleted.

NIS and LDAP are two ways of managing central user info.  (of the two
I'd choose LDAP since it is current and NIS is aging)

| >     3)  use a different pam method for authentication
| 
| This is what I do now. I just copied the shadow file, removed all the
| irrelevant entries like root and used the standard authentication method
| that came with exim.
| 
| Thanks for your response dman,

You're welcome.

-D

-- 
A Microsoft Certified System Engineer is to information technology as a
McDonalds Certified Food Specialist is to the culinary arts.
        Michael Bacarella commenting on the limited value of certification.
 
http://dman.ddts.net/~dman/

Attachment: pgpxjYOgstPZQ.pgp
Description: PGP signature

Reply to:

References:
- exim with login authentication using pam
  - From: Shri Shrikumar <shri@urbyte.com>
- Re: exim with login authentication using pam
  - From: Derrick 'dman' Hudson <dman@dman.ddts.net>
- Re: exim with login authentication using pam
  - From: Shri Shrikumar <shri@urbyte.com>

Prev by Date: Re: OT: shell scripts and spaces in file/folder names
Next by Date: Re: Debian updates & upgrades with dialup [was: wxWindows for GTK installation]
Previous by thread: Re: exim with login authentication using pam
Next by thread: Please reply to me directly
Index(es):
- Date
- Thread