[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exim with login authentication using pam



On Thu, Apr 17, 2003 at 04:40:00PM +0100, Shri Shrikumar wrote:
| On Thu, 2003-04-17 at 14:55, Derrick 'dman' Hudson wrote:
| > On Wed, Apr 16, 2003 at 09:21:59PM +0100, Shri Shrikumar wrote:
| > | Hi,
| > | 
| > | I am trying to get exim authenticate users before relaying and would
| > | like to use PAM.
| > 
| > Do you use shadow passwords?
| 
| Yes.
| 
| > Are you trying to use pam_unix.so (specified in /etc/pam.d/exim)?
| 
| I copied the imap over (courier-imap which works fine)
| 
| > 
| > | Can anyone who has done this before shed some light on this.
| > 
| > Only root can read the password hash stored in /etc/shadow.  exim
| > can't.  (exim performs the check as EXIM_USER, often named "mail")
| 
| > You have a few options depending on your goals :
| >     1)  allow the user 'mail' to read /etc/shadow
| 
| How risky is this ?

How much do you trust the 'mail' account?  If an expoit is found in
exim, then a cracker could use that to steal the passwords.  If you
run something else (say an imap daemon or somesuch) as 'mail' then any
exploits in it are a risk as well.  If you run any filters (such as
procmail) as user 'mail', then anything it does or runs has a
potential risk.  The reason for shadow passwords in the first place is
to prevent everything except root from accessing the password.

| Also, what would be the best way to do this ?

# chown mail /etc/shadow
    or
# chgrp mail /etc/shadow ; chmod g+r /etc/shadow

I'm not sure the second one won't cause other problems.  

Adding the user 'mail' to the 'shadow' group doesn't work because exim
doesn't pick up secondary groups.

| >     2)  maintain a copy which user 'mail' can read
| 
| Yeah, but this would kind of defeat the purpose since I wanted a
| centralised place for usernames and passwords so I wont have to change
| things all over the place each time a user is added / deleted.

NIS and LDAP are two ways of managing central user info.  (of the two
I'd choose LDAP since it is current and NIS is aging)

| >     3)  use a different pam method for authentication
| 
| This is what I do now. I just copied the shadow file, removed all the
| irrelevant entries like root and used the standard authentication method
| that came with exim.
| 
| Thanks for your response dman,

You're welcome.

-D

-- 
A Microsoft Certified System Engineer is to information technology as a
McDonalds Certified Food Specialist is to the culinary arts.
        Michael Bacarella commenting on the limited value of certification.
 
http://dman.ddts.net/~dman/

Attachment: pgpEyh9uj4dVA.pgp
Description: PGP signature


Reply to: