Re: [Dovecot] SSL Certifcates
On Aug 8, 2008, at 5:06 PM, Stephen Feyrer wrote: Thanks, I will persevere. I would like to point out that I'm only using PAM as it seems the best way to get email to system users. I am open to another method that might work. Anything that allows you to log in without password checking. For example a passwd-file containing only valid usernames and nopassword field. Or maybe SQLite query always returning success. My pam.d/imap file now looks like this. # Provided by mailbase (dont remove this line!) # Standard pam.d file for mail service packages. # $Header: /var/cvsroot/gentoo-x86/net-mail/mailbase/files/common- pamd-include,v 1.1 2005/04/29 13:07:50 ticho Exp $ #auth required pam_nologin.so auth required pam_allow.so auth include system-auth accountinclude system-auth sessioninclude system-auth This fails the authentication. Yes, because you're still doing a system-auth lookup. You want to allow anyone to log in with any user/pass combination, so only keep the pam_allow.so line there. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] SSL Certifcates
Hi Timo. Thanks, I will persevere. I would like to point out that I'm only using PAM as it seems the best way to get email to system users. I am open to another method that might work. This was my pam.d/imap file # Provided by mailbase (dont remove this line!) # Standard pam.d file for mail service packages. # $Header: /var/cvsroot/gentoo-x86/net-mail/mailbase/files/common-pamd-include,v 1.1 2005/04/29 13:07:50 ticho Exp $ auth required pam_nologin.so auth include system-auth accountinclude system-auth sessioninclude system-auth My pam.d/imap file now looks like this. # Provided by mailbase (dont remove this line!) # Standard pam.d file for mail service packages. # $Header: /var/cvsroot/gentoo-x86/net-mail/mailbase/files/common-pamd-include,v 1.1 2005/04/29 13:07:50 ticho Exp $ #auth required pam_nologin.so auth required pam_allow.so auth include system-auth accountinclude system-auth sessioninclude system-auth This fails the authentication. While it looks like this it also fails authentication. (I just thought I'd give it a go.) # Provided by mailbase (dont remove this line!) # Standard pam.d file for mail service packages. # $Header: /var/cvsroot/gentoo-x86/net-mail/mailbase/files/common-pamd-include,v 1.1 2005/04/29 13:07:50 ticho Exp $ auth required pam_nologin.so auth required pam_allow.so auth include system-auth accountinclude system-auth sessioninclude system-auth -- kind regards Stephen. Timo Sirainen wrote: On Aug 7, 2008, at 5:33 PM, Stephen Feyrer wrote: Timo Sirainen wrote: On Aug 7, 2008, at 2:49 PM, Stephen Feyrer wrote: Hi anyone. Can dovecot be configured to authenticate user using only SSL Certificates only and not ask for a password. So far I've got it taking the username from the common name of the certificate but I like it to use the certificate in place of the password. Is this possible and how? If you're that far, then you're already authenticating the user against the certificate. Or assuming you have ssl_require_client_cert=yes. Then just create a passdb that accepts any password as valid for the user (nopassword=yes extra field). In theory there's also this EXTERNAL SASL mechanism that could be used to log in without user/pass, but Dovecot doesn't currrently support that and I'm not aware of any clients supporting it either. Hi Timo. I have authenticating user against the certificate as you say and do have ssl_require_client_cert=yes. I'm using PAM to authenticate against my user database at the moment. I'm still baffled... :) If you only want to allow users to log in with certificates, then just change the PAM configuration file to be something like (not tested, and my PAM knowledge isn't too good): authrequiredpam_allow.so Although it would be nice to be able to verify that the user still exists, but you could do that with certificate revocation lists also.. smime.p7s Description: S/MIME Cryptographic Signature
[Dovecot] SSL Certifcates
Hi anyone. Can dovecot be configured to authenticate user using only SSL Certificates only and not ask for a password. So far I've got it taking the username from the common name of the certificate but I like it to use the certificate in place of the password. Is this possible and how? -- Regards Stephen. smime.p7s Description: S/MIME Cryptographic Signature
Re: [Dovecot] SSL Certifcates
On Aug 7, 2008, at 2:49 PM, Stephen Feyrer wrote: Hi anyone. Can dovecot be configured to authenticate user using only SSL Certificates only and not ask for a password. So far I've got it taking the username from the common name of the certificate but I like it to use the certificate in place of the password. Is this possible and how? If you're that far, then you're already authenticating the user against the certificate. Or assuming you have ssl_require_client_cert=yes. Then just create a passdb that accepts any password as valid for the user (nopassword=yes extra field). In theory there's also this EXTERNAL SASL mechanism that could be used to log in without user/pass, but Dovecot doesn't currrently support that and I'm not aware of any clients supporting it either. PGP.sig Description: This is a digitally signed message part
Re: [Dovecot] SSL Certifcates
Timo Sirainen wrote: On Aug 7, 2008, at 2:49 PM, Stephen Feyrer wrote: Hi anyone. Can dovecot be configured to authenticate user using only SSL Certificates only and not ask for a password. So far I've got it taking the username from the common name of the certificate but I like it to use the certificate in place of the password. Is this possible and how? If you're that far, then you're already authenticating the user against the certificate. Or assuming you have ssl_require_client_cert=yes. Then just create a passdb that accepts any password as valid for the user (nopassword=yes extra field). In theory there's also this EXTERNAL SASL mechanism that could be used to log in without user/pass, but Dovecot doesn't currrently support that and I'm not aware of any clients supporting it either. Hi Timo. I have authenticating user against the certificate as you say and do have ssl_require_client_cert=yes. I'm using PAM to authenticate against my user database at the moment. I'm still baffled... :) -- kind regards Stephen. smime.p7s Description: S/MIME Cryptographic Signature
Re: [Dovecot] SSL Certifcates
On Aug 7, 2008, at 5:33 PM, Stephen Feyrer wrote: Timo Sirainen wrote: On Aug 7, 2008, at 2:49 PM, Stephen Feyrer wrote: Hi anyone. Can dovecot be configured to authenticate user using only SSL Certificates only and not ask for a password. So far I've got it taking the username from the common name of the certificate but I like it to use the certificate in place of the password. Is this possible and how? If you're that far, then you're already authenticating the user against the certificate. Or assuming you have ssl_require_client_cert=yes. Then just create a passdb that accepts any password as valid for the user (nopassword=yes extra field). In theory there's also this EXTERNAL SASL mechanism that could be used to log in without user/pass, but Dovecot doesn't currrently support that and I'm not aware of any clients supporting it either. Hi Timo. I have authenticating user against the certificate as you say and do have ssl_require_client_cert=yes. I'm using PAM to authenticate against my user database at the moment. I'm still baffled... :) If you only want to allow users to log in with certificates, then just change the PAM configuration file to be something like (not tested, and my PAM knowledge isn't too good): authrequiredpam_allow.so Although it would be nice to be able to verify that the user still exists, but you could do that with certificate revocation lists also.. PGP.sig Description: This is a digitally signed message part