[Exim] AUTH_LOOPBACK, anyone?

Top Page
Delete this message
Reply to this message
Author: bhoc
Date:  
To: exim-users
Subject: [Exim] AUTH_LOOPBACK, anyone?
I've read various posts that deal with the [by design] inability of exim to
check shadow password files. There were several interesting ways of
overcoming this problem such as making a mail-readable copy of /etc/shadow
etc.
I am planning for a completely different approach:

- Have a daemon listening at 127.0.0.1:<your_favourite_port_here>. That
daemon runs as root, for reasons explained below.
- Have a client program that sends userid/password pairs towards above
daemon. This could be a base64-encoded string or some challenge/response
method.
- Daemon checks the uid/pw pair and responds with 'OK' or 'ERR' (with the
mandatory 2 seconds sleep when ERR). It is up to the daemon how the check
is done - getpwnam, getspnam, do_some_ldap_lookup,
select_pw_from_pwtable_where_user_=_<foo>, ..., you get the idea.
- Client then proceeds depending on answer.

Now what do we gain?
- I have one single service handling authentication requests.
- clients have to contact one single service with always the same syntax.
- client does not have to be root
- client does not need to know how an uid/pw is authenticated.

This, of course, applies not only to exim, but a number of other daemons
such as a proxy, a pop3 server, some web servers, ...
I have a crude working model using inetd, tcpd, nc(netcat) and shadow
running.
If anyone's interested in investi(gati)ng further, drop me a note to bhoc
at pentagroup dot ch.

-- Ben