On 2008-08-28 08:48, Jaco van der Schyff wrote:
> What are my options to auth against /etc/shadow using PAM without giving
> exim too much priviledges?
>
> I currently have two options: chgrp exim /etc/shadow or write an
> external authenticator (which is suid root) that returns a
> true/false which I can evaluate in exim.
>
> Any other ideas?
I configured this today using pwauth. Pwauth
(
http://unixpapa.com/pwauth/) is an external authenticator as you
mention as the second option. It is written with Apache in mind, because
Apache suffers from the same problem: need to run as root to
authenticate to /etc/shadow.
Download it, configure it, compile it. I put the pwauth (suid root) in
/usr/loca/bin/. The authentication driver configuration for me was:
plain_server:
driver = plaintext
public_name = PLAIN
server_condition = ${run{/bin/bash -c "echo -e '$auth2\n$auth3' |
/usr/local/bin/pwauth"}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
As I run Debian 5.0/Lenny, I added this to /etc/exim4/exim4.conf.template.
Don't forget to add the UID of the exim user to SERVER_UIDS in config.h
of pwauth's source files.
It's authentication to /etc/shadow the easy and secure way!
With kind regards,
Jurrie
