Re: [exim] Options for authenticating against /etc/shadow (…

Top Page
Delete this message
Reply to this message
Author: Jurrie Overgoor
Date:  
To: Exim-users
New-Topics: Re: [exim] Options for authenticating against /etc/shadow (PAM) withoutmaking exim suid root
Subject: Re: [exim] Options for authenticating against /etc/shadow (PAM)withoutmaking exim suid root
On 2008-08-28 08:48, Jaco van der Schyff wrote:
> What are my options to auth against /etc/shadow using PAM without giving
> exim too much priviledges?
>
> I currently have two options: chgrp exim /etc/shadow or write an
> external authenticator (which is suid root) that returns a
> true/false which I can evaluate in exim.
>
> Any other ideas?


I configured this today using pwauth. Pwauth
(http://unixpapa.com/pwauth/) is an external authenticator as you
mention as the second option. It is written with Apache in mind, because
Apache suffers from the same problem: need to run as root to
authenticate to /etc/shadow.

Download it, configure it, compile it. I put the pwauth (suid root) in
/usr/loca/bin/. The authentication driver configuration for me was:

plain_server:
driver = plaintext
public_name = PLAIN
server_condition = ${run{/bin/bash -c "echo -e '$auth2\n$auth3' |
/usr/local/bin/pwauth"}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif

As I run Debian 5.0/Lenny, I added this to /etc/exim4/exim4.conf.template.

Don't forget to add the UID of the exim user to SERVER_UIDS in config.h
of pwauth's source files.

It's authentication to /etc/shadow the easy and secure way!

With kind regards,

Jurrie