Re: Exim PAM SMTP Authentication, help!
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
A long time ago, in a galaxy far, far way, someone said...
Hi,
I'm trying Exim to authenticate users for mail relay using the SMTP
AUTH interface. I've recompiled the Debian Exim 3.12-10 source package
with the standard/default settings and only added the TCP Wrappers and
PAM support. The exim and eximon packages generated successfully and
installed fine. Only what else should I do know to allow exim to use
PAM? I've set up the fixed_plain and fixed_login entries in the conf
file with the server_condition for fixed_login (which is what Outlook
uses) as follows:
server_condition = \
${if pam {$1:$2}{yes}{no}}
The authentication log returns the following error when I try to
authenticate:
PAM_unix[24311]: authentication failure; (uid=8) - **unknown** for exim
service
I've set up an exim config file in the /etc/pam.d/ dir with auth and
account required. From the above (and the spec.txt file in the exim
docs) it looks like it expects an exim user with UID 8 to initialise
the PAM service, but mail is already specified as the UID 8 GID 8 and
I don't know what'll break if I rename mail to exim. Is it possible to
create a user alias ? i.e. exim and mail is really the same user, same
passwd etc ?
The problem isn't the in the name of the user that exim runs as, it's the
UID. To be able to authenticate against the information in /etc/shadow
exim must run as root.
Put
exim_user = root
in exim.conf, restart exim, and try again.
Also am I approaching this PAM authentication right?
For the most part.
- --
- --
Phil Brutsche [EMAIL PROTECTED]
GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE60x/p/ZTSZFDeHPwRArnyAJ4hBSbnGQ+MyGJ3vl8Om1uXKROblQCdGHPz
QfhF1AwaBP+zoMxIojNZETA=
=QTyE
-END PGP SIGNATURE-
RE: Exim PAM SMTP Authentication, help!
But isn't that a bad thing(tm) ?
Surely you must be able to get a simple yes no on auth out of PAM with it
rather doing things as root?
I'd prefer not running Exim as root to prevent any possible exploits ...
Thanks,
Eugene
-Original Message-
From: Phil Brutsche [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 10, 2001 5:00 PM
To: Eugene van Zyl
Cc: GLUG; Debian-User
Subject: Re: Exim PAM SMTP Authentication, help!
*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x50DE1CFC
*** Signed: 2001/04/10 06:59:52
*** Verified: 2001/04/10 06:39:16
*** BEGIN PGP VERIFIED MESSAGE ***
A long time ago, in a galaxy far, far way, someone said...
Hi,
I'm trying Exim to authenticate users for mail relay using the SMTP
AUTH interface. I've recompiled the Debian Exim 3.12-10 source package
with the standard/default settings and only added the TCP Wrappers and
PAM support. The exim and eximon packages generated successfully and
installed fine. Only what else should I do know to allow exim to use
PAM? I've set up the fixed_plain and fixed_login entries in the conf
file with the server_condition for fixed_login (which is what Outlook
uses) as follows:
server_condition = \
${if pam {$1:$2}{yes}{no}}
The authentication log returns the following error when I try to
authenticate:
PAM_unix[24311]: authentication failure; (uid=8) - **unknown** for exim
service
I've set up an exim config file in the /etc/pam.d/ dir with auth and
account required. From the above (and the spec.txt file in the exim
docs) it looks like it expects an exim user with UID 8 to initialise
the PAM service, but mail is already specified as the UID 8 GID 8 and
I don't know what'll break if I rename mail to exim. Is it possible to
create a user alias ? i.e. exim and mail is really the same user, same
passwd etc ?
The problem isn't the in the name of the user that exim runs as, it's the
UID. To be able to authenticate against the information in /etc/shadow
exim must run as root.
Put
exim_user = root
in exim.conf, restart exim, and try again.
Also am I approaching this PAM authentication right?
For the most part.
--
--
Phil Brutsche [EMAIL PROTECTED]
GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
*** END PGP VERIFIED MESSAGE ***
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Exim PAM SMTP Authentication, help!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... But isn't that a bad thing(tm) ? It can be. Surely you must be able to get a simple yes no on auth out of PAM with it rather doing things as root? Sure, PAM works fine without exim running as root - I've had exim authenticate off SQL databases via PAM, with exim running as the user mail. But exim *must* run as root to be able to authenticate using the system passwords in /etc/shadow. I know of no way around it, except for making /etc/shadow world readable, which is even more dangerous than having exim run as root. There is another way to do it, but it requires knowledge of perl, exim compiled with perl support, and a small program to handle the PAM authentication. You can skip the perl part if you can find a way to get exim run an external program directly for authentication, but I don't know right off hand if there's a way to do that. I'd prefer not running Exim as root to prevent any possible exploits ... Understandable, but sometimes unavoidable. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE60zoV/ZTSZFDeHPwRAkNbAKCg/V8xnlyNmmDnzk3lp4CvYh3JIQCghog0 3B+SWFD91O1bE6clBSdpXDg= =Rbax -END PGP SIGNATURE-
Re: Exim PAM SMTP Authentication, help!
Phil Brutsche [EMAIL PROTECTED] writes: But exim *must* run as root to be able to authenticate using the system passwords in /etc/shadow. I know of no way around it, except for making /etc/shadow world readable, which is even more dangerous than having exim run as root. Why is this? It would seem that unix_chkpwd would be able to do this, and afaik, pam_unix uses it automatically. At least, it did on RHL. Am I missing something in the way Debian stuff is set up? Hmmm... it looks like it may only let you auth against the id calling it, which would explain the difficulty. Though a similar program should be written to do the same, so other programs can run without root. -- Alan Shutko [EMAIL PROTECTED] - In a variety of flavors! Machines that have broken down will work perfectly when the repairman arrives.
Re: Exim PAM SMTP Authentication, help!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Why is this? It would seem that unix_chkpwd would be able to do this, and afaik, pam_unix uses it automatically. At least, it did on RHL. unix_chkpwd only authenticates the calling uid. It won't work for general use ie for exim to authenticate. Am I missing something in the way Debian stuff is set up? Hmmm... it looks like it may only let you auth against the id calling it, which would explain the difficulty. Though a similar program should be written to do the same, so other programs can run without root. And one has. Hence my suggestion to use the perl capabilities of exim, so that such a program can be used for authentication. I can make the sources available under the GPL, if you like. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE600os/ZTSZFDeHPwRAokoAKCfKn/eG5Mxryqz11QdI79T8p0RogCgkLVy ZJrCjB1Xhy0Ce6YX1ZA2mPw= =BNo4 -END PGP SIGNATURE-
