Re: [Exim] SMTP Auth against /etc/master.passwd on FreeBSD

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Kirill Miazine
Dátum:  
Címzett: exim-users
Tárgy: Re: [Exim] SMTP Auth against /etc/master.passwd on FreeBSD
Jez Hancock wrote:
> Hi all,
>
> This is a summary of one solution to the subject problem which was put
> forward by Kirill Miazine and hacked at to do MD5 authentication
> against the system password file /etc/master.passwd on FreeBSD by.
>
> The following perl code uses the Net::Server module to fork a
> specified number of server processes (similar in manner to the
> mechanism employed by apache webserver), each process listening for
> incoming authentication traffic on a unix domain socket.
>
> Upon receiving an authentication request on a listening socket, the
> server does some minimal data validation checking on the submitted
> user/password pair.
>
> The server then retrieves the pwd hash from /etc/master.passwd based
> on the 'username' key submitted and then hashes the submitted
> 'password' string using the salt obtained from the pwd hash. If the
> resulting hash matches the pwd hash, the user is authenticated.
>
> The script has to be suid root with suidperl unfortunately since it
> has to read /etc/master.passwd. However this entails that the domain


This is not true. You just start that script as root and it will have
the neccessary permissions.

> sockets created by the server are not readable by the exim user
> (unless you like running exim as root:) It's conceivable to have the


This is not true either ;). Just say umask(0000) before you say
__PACKAGE__->run() the socket file is created and the socket will be
created in such way that everybody will be able to speak to it.

> server not suid and instead have it call a suid root helper that makes
> the lookup on the db, but to be honest I'm happy now I've got pwcheck


Huh?

> back and won't go to the effort.
>
> The code is here anyway in case anyone in future is interested:


I've some comments, please read on.

> -----------------------------------------------------------------------------
> #!/usr/bin/perl
>
> package EximAuth;
>
> use strict;
> use vars qw(@ISA);
> use Crypt::PasswdMD5;
> use Net::Server::PreFork;
> @ISA = qw(Net::Server::PreFork);
>
> sub process_request {
>     my $self = shift;
>     my $sock = $self->{'server'}->{'client'};
>     chomp(my $username = $sock->getline());
>     chomp(my $password = $sock->getline());

>
>     # some minimal data validation:
>     !$username ||
>     !$password ||
>     length($username) >16 ||
>     length($password) >255 ||
>     $username=~/[^0-9A-Za-z]/ ||
>     $password=~/[^0-9A-Za-z]/ &&


Weak passwords, weak passwords... I like to use some funny characters in
passwords myself...

>     $sock->print("no");

    ^^^^^^^^^^^^^^^^^^


The above line really should be

    return $sock->print("no");


To be honest, your data validation routine sucks a lot. Sorry, but it
does that. It does not do what you think it does. "no" will be output if
and only if $password =~ /[^0-9A-Za-z]/. Please read "man perop" - that
will help. Hint: you'll see how much better your "validator" works if
you replace "&&" with "and".

>     # get the line from the pwd db based on $username:
>     my (undef,$sys_password) = getpwnam($username);

>
>     # get the salt:
>     my ($salt) = $sys_password =~ /\$.*\$(.*)\$/;

>
>     # get our hash:
>     my $hash=unix_md5_crypt($password, $salt);

>
>     $sock->print($hash eq $sys_password ? 'yes' : 'no');
>     # for debug output:
>     # $sock->print("username: $username submitted password: "
>     #    ."$password salt: $salt myhash: $hash syshash: $sys_password\n");
> }

>
> __PACKAGE__->run(
>     proto => 'unix',
>     port => '/var/spool/exim/auth/auth.sock',
>     min_servers => 5,
>     min_spare_servers => 5,
>     max_spare_servers => 10,
>     max_servers => 15,
>     max_requests => 1000,
>     log_level => 4,


You don't need such a high log_level. Set it to 0.

> );


--
Kirill Miazine, Stud. Jur.
Faculty of Law, University of Oslo