A long time ago, in a galaxy far, far way, someone said...
> It seems a pity that PAM authentication is restricted to root.
Only when you want to access system accounts directly. I've had Exim
authenticate off a PostgreSQL database via PAM; Exim required no root
access in that case.
That's why I suggested RADIUS - it'll act as a sort of "middle-man" for
Exim to be able to use system acounts for authentication and still not run
as root.
I've used this with SASL auth under Postfix (which refuses to run as root)
with great success.
> One might have hoped that a supposedly flexible system would have some
> configuration that allowed the sysadmin to list uids that were
> permitted to use it.
PAM can do that - the "account" modules in pam.conf (or in the files under
/etc/pam.d, depending on OS) allow just that, as well as other,
limitations (such as time of day or IP number).
> Otherwise you end up running more things as root that you really need
> to.
That's why you need a "simple" middle-man process that a PAM module could
talk to. I happened to choose RADIUS rather than create my own mechanism.
- --
- ----------------------------------------------------------------------
Phil Brutsche pbrutsch@???
GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key:
http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc