Re: Exim PAM SMTP Authentication, help!

2001-04-10 Thread Phil Brutsche
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...

> Why is this?  It would seem that unix_chkpwd would be able to do this,
> and afaik, pam_unix uses it automatically.  At least, it did on RHL.

unix_chkpwd only authenticates the calling uid.  It won't work for general
use ie for exim to authenticate.

> Am I missing something in the way Debian stuff is set up?  Hmmm... it
> looks like it may only let you auth against the id calling it, which
> would explain the difficulty.  Though a similar program should be
> written to do the same, so other programs can run without root.

And one has.  Hence my suggestion to use the perl capabilities of exim, so
that such a program can be used for authentication.  I can make the
sources available under the GPL, if you like.

- -- 
- --
Phil Brutsche   [EMAIL PROTECTED]

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE600os/ZTSZFDeHPwRAokoAKCfKn/eG5Mxryqz11QdI79T8p0RogCgkLVy
ZJrCjB1Xhy0Ce6YX1ZA2mPw=
=BNo4
-END PGP SIGNATURE-



Re: Exim PAM SMTP Authentication, help!

2001-04-10 Thread Alan Shutko
Phil Brutsche <[EMAIL PROTECTED]> writes:

> But exim *must* run as root to be able to authenticate using the system
> passwords in /etc/shadow.  I know of no way around it, except for making
> /etc/shadow world readable, which is even more dangerous than having exim
> run as root.

Why is this?  It would seem that unix_chkpwd would be able to do this,
and afaik, pam_unix uses it automatically.  At least, it did on RHL.

Am I missing something in the way Debian stuff is set up?  Hmmm... it
looks like it may only let you auth against the id calling it, which
would explain the difficulty.  Though a similar program should be
written to do the same, so other programs can run without root.

-- 
Alan Shutko <[EMAIL PROTECTED]> - In a variety of flavors!
Machines that have broken down will work perfectly when the repairman arrives.



RE: Exim PAM SMTP Authentication, help!

2001-04-10 Thread Phil Brutsche
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...

> But isn't that a bad thing(tm) ?

It can be.

> Surely you must be able to get a simple yes no on auth out of PAM with
> it rather doing things as root?

Sure, PAM works fine without exim running as root - I've had exim
authenticate off SQL databases via PAM, with exim running as the user
"mail".

But exim *must* run as root to be able to authenticate using the system
passwords in /etc/shadow.  I know of no way around it, except for making
/etc/shadow world readable, which is even more dangerous than having exim
run as root.

There is another way to do it, but it requires knowledge of perl, exim
compiled with perl support, and a small program to handle the PAM
authentication.

You can skip the perl part if you can find a way to get exim run an
external program directly for authentication, but I don't know right off
hand if there's a way to do that.

> I'd prefer not running Exim as root to prevent any possible exploits ...

Understandable, but sometimes unavoidable.

- -- 
- --
Phil Brutsche   [EMAIL PROTECTED]

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE60zoV/ZTSZFDeHPwRAkNbAKCg/V8xnlyNmmDnzk3lp4CvYh3JIQCghog0
3B+SWFD91O1bE6clBSdpXDg=
=Rbax
-END PGP SIGNATURE-



RE: Exim PAM SMTP Authentication, help!

2001-04-10 Thread Eugene van Zyl
But isn't that a bad thing(tm) ?
Surely you must be able to get a simple yes no on auth out of PAM with it 
rather doing things as root?
I'd prefer not running Exim as root to prevent any possible exploits ...

Thanks,
Eugene

-Original Message-
From: Phil Brutsche [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 10, 2001 5:00 PM
To: Eugene van Zyl
Cc: GLUG; Debian-User
Subject: Re: Exim PAM SMTP Authentication, help!



*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x50DE1CFC
*** Signed: 2001/04/10 06:59:52
*** Verified: 2001/04/10 06:39:16
*** BEGIN PGP VERIFIED MESSAGE ***

A long time ago, in a galaxy far, far way, someone said...

> Hi,
>
> I'm trying Exim to authenticate users for mail relay using the SMTP
> AUTH interface. I've recompiled the Debian Exim 3.12-10 source package
> with the standard/default settings and only added the TCP Wrappers and
> PAM support. The exim and eximon packages generated successfully and
> installed fine. Only what else should I do know to allow exim to use
> PAM? I've set up the fixed_plain and fixed_login entries in the conf
> file with the server_condition for fixed_login (which is what Outlook
> uses) as follows:

>   server_condition = "\
>   ${if pam {$1:$2}{yes}{no}}"
>
> The authentication log returns the following error when I try to
> authenticate:

> PAM_unix[24311]: authentication failure; (uid=8) -> **unknown** for exim 
> service
>
> I've set up an exim config file in the /etc/pam.d/ dir with auth and
> account required. From the above (and the spec.txt file in the exim
> docs) it looks like it expects an exim user with UID 8 to initialise
> the PAM service, but mail is already specified as the UID 8 GID 8 and
> I don't know what'll break if I rename mail to exim. Is it possible to
> create a user alias ? i.e. exim and mail is really the same user, same
> passwd etc ?

The problem isn't the in the name of the user that exim runs as, it's the
UID.  To be able to authenticate against the information in /etc/shadow
exim must run as root.

Put

exim_user = root

in exim.conf, restart exim, and try again.

> Also am I approaching this PAM authentication right?

For the most part.

-- 
--
Phil Brutsche   [EMAIL PROTECTED]

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc

*** END PGP VERIFIED MESSAGE ***


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Exim PAM SMTP Authentication, help!

2001-04-10 Thread Phil Brutsche
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...

> Hi,
>
> I'm trying Exim to authenticate users for mail relay using the SMTP
> AUTH interface. I've recompiled the Debian Exim 3.12-10 source package
> with the standard/default settings and only added the TCP Wrappers and
> PAM support. The exim and eximon packages generated successfully and
> installed fine. Only what else should I do know to allow exim to use
> PAM? I've set up the fixed_plain and fixed_login entries in the conf
> file with the server_condition for fixed_login (which is what Outlook
> uses) as follows:

>   server_condition = "\
>   ${if pam {$1:$2}{yes}{no}}"
>
> The authentication log returns the following error when I try to
> authenticate:

> PAM_unix[24311]: authentication failure; (uid=8) -> **unknown** for exim 
> service
>
> I've set up an exim config file in the /etc/pam.d/ dir with auth and
> account required. From the above (and the spec.txt file in the exim
> docs) it looks like it expects an exim user with UID 8 to initialise
> the PAM service, but mail is already specified as the UID 8 GID 8 and
> I don't know what'll break if I rename mail to exim. Is it possible to
> create a user alias ? i.e. exim and mail is really the same user, same
> passwd etc ?

The problem isn't the in the name of the user that exim runs as, it's the
UID.  To be able to authenticate against the information in /etc/shadow
exim must run as root.

Put

exim_user = root

in exim.conf, restart exim, and try again.

> Also am I approaching this PAM authentication right?

For the most part.

- -- 
- --
Phil Brutsche   [EMAIL PROTECTED]

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE60x/p/ZTSZFDeHPwRArnyAJ4hBSbnGQ+MyGJ3vl8Om1uXKROblQCdGHPz
QfhF1AwaBP+zoMxIojNZETA=
=QTyE
-END PGP SIGNATURE-