Re: [Exim] Exim and PAM, again

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-users
Subject: Re: [Exim] Exim and PAM, again
On 2000-09-13 at 15:56 +0100, Nigel Metheringham gifted us with:
> Phil.Pennock@??? said:
> > Depends - are you trying to get Exim to authenticate using the account
> > system password? If so, doesn't unauthenticated use, if tried,
> > immediately compromise the account if you allow normal logins with
> > passwords (eg, via SSH)?
>
> You need to run that one past me again :-)


Ah, I've just slowed down enough to understand why. I was extremely
unclear, sorry. (I'm on callout duty, and there's the RIPE conference
stealing most of our NOC atm; oh what _fun_ ...)

If user fred is not technically clued, and configures their POP3 client
to try unauthenticated login (USER/PASS), then the password is
compromised. If this is the same password as is used for system logins
(if allowed to the box) then you have problems. Unless you already
allow non-kerberos Telnet access, in which case you get what you
deserve.

So, is it not a reasonably good idea to separate out the POP3 passwords
from the system passwords, by _not_ using /etc/shadow. So, if you use
pam_pwdfile, which claims to do the necessary juju, you can have a
private POP3 password file, mode 600 exim/exim (or whatever). You need
a tool to allow a user to change their password; if the distribution
doesn't include one (too many anon FTP users at present for me to check)
then you can knock up a CGI-script or something.

> Basically PAM is a reasonably complex and flexible beast... you can do
> almost any form of authentication including RADIUS and potentially


Yeah, I looked at installing it back when I ran Linux; I liked it, but I
moved to OpenBSD so it became a moot point. :^)

>                                  Configuring PAM is a fairly complex 
> operation - most people (including myself for the most part) just use 
> predefined templates that come with packages.


That I didn't know. Hrm.
--
A science is said to be useful if its development tends to accentuate the
existing inequalities in the distribution of wealth, or more directly promotes
the destruction of human life - Godfrey Hardy, A Mathematician's Apology, 1941