I've read various posts that deal with the [by design] inability of exim to
check shadow password files. There were several interesting ways of
overcoming this problem such as making a mail-readable copy of /etc/shadow
etc.
I am planning for a completely different approach:
- Have a daemon listening at 127.0.0.1:<your_favourite_port_here>. That
daemon runs as root, for reasons explained below.
- Have a client program that sends userid/password pairs towards above
daemon. This could be a base64-encoded string or some challenge/response
method.
- Daemon checks the uid/pw pair and responds with 'OK' or 'ERR' (with the
mandatory 2 seconds sleep when ERR). It is up to the daemon how the check
is done - getpwnam, getspnam, do_some_ldap_lookup,
select_pw_from_pwtable_where_user_=_<foo>, ..., you get the idea.
- Client then proceeds depending on answer.
Now what do we gain?
- I have one single service handling authentication requests.
- clients have to contact one single service with always the same syntax.
- client does not have to be root
- client does not need to know how an uid/pw is authenticated.
This, of course, applies not only to exim, but a number of other daemons
such as a proxy, a pop3 server, some web servers, ...
I have a crude working model using inetd, tcpd, nc(netcat) and shadow
running.
If anyone's interested in investi(gati)ng further, drop me a note to bhoc
at pentagroup dot ch.
