Re: [exim] plaintext pam

Top Page
Delete this message
Reply to this message
Author: andreas graeper
Date:  
To: exim-users
Subject: Re: [exim] plaintext pam
hi lena,
thanks for your answer

why 'why pam ?' ??

:: is something like an escape of ':' as '\\' for '\' or \" for " inside
".." in other situations ?! ( i did not read all that 50+ chapters .. )
and the argument to pam{} is    "user:password" (in case there are no :
inside password) ?
and you think the problem is the pam configuration


ok i have seen in logs something like 'permission denied for gid=93' what
is group 'exim'
and my old passwd file actually is owned by root:exim. now the old way is
working.

but pam i unfortunatly have no idea of.
i found that group exim need to have read-access to /etc/shadow and
/etc/pam.d/exim
i changed owner of /etc/pam.d/exim to root:exim
and so i did for /etc/shadow + chmod 440
now i can send messages, but i actually feel bad.

there are lots of other tools/services that use pam and never before i
heard that they need read access to /etc/shadow ?
i am on a fresh centos6.3 installation and there was no right on
/etc/shadow at all (not even read for root) ?!
how can this work ? maybe selinux anyhow ?

thanks in advance for any help
andreas


2013/5/28 <Lena@???>

> > From: andreas graeper
>
> Why pam?
>
> > (i thought: plain -> 2:user 3:secret, login -> 1:user 2:secret)
>
> I use:
>
> begin authenticators
> plain:
> driver = plaintext
> public_name = PLAIN
> server_prompts = :
> server_condition = ${if pam{$auth2:${sg{$auth3}{:}{::}}}}
> server_set_id = $2
>
> login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = ${if pam{$auth1:${sg{$auth2}{:}{::}}}}
> server_set_id = $1
>
> I use FreeBSD. PAM modules are invoked under "mailnull" user (not root),
> so besides proper file in pam.d you need to give the "mail" group
> read access to the master.passwd file (then you can use either pam or
> crypteq),
> but that's frowned upon in FreeBSD. Instead I use
> POP3 server ("popa3d" port) on the same machine for authentication.
> For that I created a file /etc/pam.d/exim with 2 lines:
>
> auth required /usr/local/lib/pam_pop3.so hostname=localhost info
> pwprompt=Password: timeout=5
> account required pam_permit.so
>
> FreeBSD port pam_pop3 was deleted, but you can restore it with svn.
> Distfile: http://lena.kiev.ua/pam_pop3-1.0.tar.gz
>
> > what is the substitution : -> :: for ?
>
> For case if the password contains : character[s].
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>