Also Sprach Andreas Hasenack: > Em Wed, Nov 21, 2001 at 07:05:40AM -0800, Wil Cooley escreveu: > > successfully opening /etc/shadow, although I guess not. (I guess > > I assumed pam_unix.so would call unix_chkpwd if it wasn't root.) > > It does, but only to authenticate the user calling it, not somebody > else, iirc. Ah, okay. I thought it would work like SASL's pwcheck/saslauthd. > > > Or use the pwcheck method in SASL, which also requires another > > > daemon. I've never tried that, though. > > > > grep'ing through the txts with my pam distribution, I don't see > > any docs on configuring unix_chkpwd, how the heck to use it? > > It's part of the sasl package. I think the only doc is a small readme > and a FAQ entry, you should be able to find it in the tarball or at > the sasl website. No, I was talking about PAM's unix_chkpwd, not Cyrus SASL's pwcheck. I see from what you wrote above what unix_chkpwd is for. > But it's only for plaintext passwords, if you use /etc/sasldb, > for instance, it should be enough to have that file readable by the > postfix daemon. I tried it once with openldap running as an "ldap" > user and granting read access to that file (sasldb) for the "ldap" > group, it worked. But this gets more complex if other daemons need > read access to it too. Right, that's what I did. The sasldb my Cyrus IMAP rpms made was owned by cyrus:mail, and smtpd happens to run :mail, so a simple addition of group writability took care of it. The idiot I am, I didn't try to un-shadow my password file to test it. I've set this up about once every year for the last 3 years and I keep forgetting the debugging tricks I learn... Wil -- W. Reilly Cooley wcooley@nakedape.cc Naked Ape Consulting http://nakedape.cc irc.linux.com #orlug,#pdxlug,#lnxs "There was a vague, unpleasant manginess about his appearence; he somehow seemed dirty, though a close glance showed him as carefully shaven as an actor, and clad in immaculate linen." -- H.L. Mencken, on the death of William Jennings Bryan
Attachment:
pgp00021.pgp
Description: PGP signature
