On Tue, 5 Feb 2008, Paul Hancock wrote:
I need to get a better understanding of PAM, but does imap use PAM session
hooks? That might explain why this isn't working, since we've established
that imap uses PAM.
The answer is to be found in imap-????/src/osdep/unix/ckp_pam.c, where you
will find that both the pam_open_session() and pam_close_session() calls
are #if 0 removed from the code.
You will see a pair of comments by the pam_open_session() call that gives
some of the history of why it is commented out, as opposed to compiled in
the code or removed entirely:
/*
* Some people have reported that this causes a SEGV in strncpy() from
* pam_unix.so.1
*/
/*
* This pam_open_session() call is inconsistant with how we handle other
* platforms, where we don't write [uw]tmp records. However, unlike our
* code on other platforms, pam_acct_mgmt() will check those records for
* inactivity and deny the authentication.
*/
Thus, here are the issues:
For better or worse, imapd and ipop3d do not write [uw]tmp records in most
configurations. The reasons for this decision are complicated and
historical, and in some cases have been overtaken by historical events.
For example, one of the historical reasons is that many systems once had a
password use limit in which an account was automatically shut off after a
password was used for a certain fixed number of times without being
changed. Given the nature of POP3 (and, sadly, some IMAP) clients, it was
possible for a single user email session to pop this limit. Since POP3
and IMAP logins/logouts are recorded in the mail log (hence there is an
activity log), a [uw]tmp entry was a duplicate that caused failure.
On the other hand, PAM might deny authentication due to insufficient
activity, so there would be a benefit on some PAM systems to write those
records.
On the other hand, when I put in those PAM session calls I started getting
multiple problem reports of imapd and ipop3d crashes that turned out to be
SEGVs within the bowels of PAM. [This is different from the PAM crashes
on Solaris caused by SUN's version failing to pass the appdata_ptr data in
the pam_conv structure. I have no idea if/when SUN fixed their bug.]
Thus, the code is there, but switched off in the presumption that people
who need it are capable of editing the file to switch it back on.
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
_______________________________________________
Imap-uw mailing list
Imap-uw@u.washington.edu
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
