On Wed, Oct 22, 2003 at 04:15:56PM +0100, Ron McKeating wrote:
> In the exim docs it suggests that exim cannot do pam authentication
> because it needs to be done by a process running as root. Is this
> because it needs to be root to access /etc/shadow?
No, the whole issue is implementation dependent, for Linux-PAM, the
situation is this: There is a SUID helper program (unix_chkpwd) to get
around non readable /etc/shadow however pam_unix itself checks that
only root can verify the correctness of other user passwords,
applications running under a unpriviledged user-ID (e.g. locked
screensavers) may only verifiy the credential of the user they are
running as.
There is a way around this by using pam_exim, which (afaik) is
basically pam_unix with restriction removed.
> One way round this suggested in the docs is to use pwcheck from the
> Cyrus pwcheck daemon. However when I downloaded it the (sasl) docs say
> PLAIN uses the saslauthd (preferred and now standard), the
> pwcheck daemon (obsolete), or an auxilliary property plugin (for
> example, sasldb).
>
> So if pwcheck is obsolete should I be going down this route.
exim supports saslauthd since 4.21. (see doc/NewStuff)
> It is a redhat 9 box running the latest version of exim with
> exiscan. I really need to make smtp authentication work but seem to
> be stuck at every turn.
If it is just local users, the easiest possibility is using something
like this cronjob (one long line)
*/15 * * * * if [ /etc/shadow -nt /etc/exim/passwd ] ; then grep -v ^root
/etc/shadow > /etc/exim/passwd ; chmod 0600 /etc/exim/passwd ; chown
exim:exim /etc/exim/passwd ; fi
and use regular file lookups for exim:
plain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{/etc/exim/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $2
server_prompts = :
cu andreas