[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: getting postfix + sasl to work

martin f krafft <madduck@debian.org> writes:

> also sprach Rupa Schomaker <rupa-list@rupa.com> [2003.01.27.1652 +0100]:
>> It is nearly impossible to get sasl to work *correctly* in a chroot
>> and even more difficult with PAM.
>
> Which is, I believe, why saslauthd was created - to load the
> authentication off to another software outside the chroot. There is
> absolutely no documentation though.

Got it.  Just reviewed the sasl documentation.  The *only* way to
support CRAM-MD5 or DIGEST-MD5 (encrypted auth) is to use sasldb or
something called "auxprop" -- not sure how they are related.  So, even
if you got saslauthd working (and the documentation is correct), it
will only support traditional (non encrypted) authentication.

Refer to /usr/share/doc/libsasl2/sysadmin.html for details.

>> I just run it outside of it's jail...  Also, you cannot use anything
>> but PLAIN auth (plaintext userid/passwd in a base64 string) if you
>> use PAM. Probably not a good idea. If you use sasldb (or sasldb2)
>> then you can use things like CRAM-MD5.
>
> Why not?

All (some? most?) of the "over the wire encrypted" methods that sasl
supports requires that the real password be available to the piece of
software that is mediating the authentication (in this case the sasl
libs smtpd links against).

For PAM, even if the password is stored somewhere in the clear, there
is no way to ask pam "what is the password for this user", just "is
this password valid".  So, the only auth method supported are those
that don't require the auth mechanism to know the real password --
AUTH PLAIN.

Generally PAM will then auth against pam_unix which uses
/etc/shadow.  Those passwords cannot be reversed (since they are
hashes or whatever).  So, even if PAM supported giving the password to
the auth requester it couldn't if you were using normal unix
passwords.

At one point (2yrs ago?) I was using pam_userdb (plaint text password
storage) for users that existed on both unix and imap.  PAM worked for
unix logins and I had a auth module for sasl that worked with the db
format for pam_userdb.  I no longer had the source for that (eek,
never put it in my cvs) and when I switched to sasl2 I realized that I
had so few users that would use the functionality (combined unix and
imap authentication database) that writing the code again would be
silly and instead I just have different auth databases for unix login
(me and wife) and imap login (everyone else plus me).

> Is there any way to synchronize the /etc/shadow and /etc/sasldb
> passwords? I am asking because my users finally learnt how to use the
> passwd binary. I can't expect them to know anything else.

Not that I know of.  You can:

1) make passwd a wrapper that uses both passwd and saslpasswd when the
   user changes their password.

2) write a pam module that knows how to update sasldb and add it to
   /etc/pam.d/passwd.

Both of the above means you have two authentication databases, but
they are kept in sync as long as people use either passwd or programs
that work through PAM (including passwd).

Alternatively, you can do what I described above and:

3) Write a PAM module that stores enough info for both unix logins and
   sasl logins and then write a sasl module to authenticate against
   the new file layout.

-- 
-rupa
Reply to: