LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 09-21-2009, 03:15 AM   #1
dbj
LQ Newbie
 
Registered: Sep 2009
Posts: 23

Rep: Reputation: 16
checkpassword only works as root, authentication with spamdyke, qmail


You can test checkpassword with

printf "%s\0%s\0%s\0" user password Y123456 | /usr/bin/checkpassword id 3<&0

But it only gives the right result when you are root. Why ?
I have set spamdyke to use checkpassword
smtp-auth-command=/usr/bin/checkpassword /bin/true

I think that is a problem when running "/etc/init.d/qmail start". I have

...
rblsmtpd="/usr/local/bin/spamdyke -l -f /etc/spamdyke.conf"
...
...
sh -c "start-stop-daemon --start --quiet --user qmaild \
--pidfile /var/run/tcpserver_smtpd.pid --make-pidfile \
--exec /usr/bin/tcpserver -- -R -H \
-u `id -u qmaild` -g `id -g nobody` -x /etc/tcp.smtp.cdb 0 smtp \
$rblsmtpd /usr/sbin/qmail-smtpd 2>&1 \
| $logger &"


I am not an expert but it seems to work if `id -u mails` is replaced with
`id -u root`

Ok, but from a security aspect is that the right solution?
I mean qmail-smtpd will run as root which is not as intended.
 
Old 10-15-2009, 01:57 AM   #2
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Wheezy (Fluxbox WM)
Posts: 1,368
Blog Entries: 52

Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Quote:
printf "%s\0%s\0%s\0" user password Y123456 | /usr/bin/checkpassword id 3<&0

But it only gives the right result when you are root. Why ?
Because checkpassword only has access to the shadow password database if it is run as root. Some programs that require access to the database are run as sgid shadow, but even this would be a bad idea for checkpassword, because it can be used to run dictionary attacks against the password list.

Quote:
I am not an expert but it seems to work if `id -u mails` is replaced with
`id -u root`

Ok, but from a security aspect is that the right solution?
Doesn't sound like good security; at the very least, you are running a lot of code as root that doesn't need to be.

There are a number of alternatives to checkpassword.

I cannot advise the best solution; for a commercial system, you should probably operate a separate password database for remote smtp users, rather than give qmail access to the system passwords.
 
  


Reply

Tags
authentication, qmail


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP Authentication Fails for Non-Root, but works for root ludwig Linux - Server 2 08-16-2008 06:53 PM
help, i cant install checkpassword for qmail!!! budakbaru Linux - Server 50 11-03-2007 12:04 AM
Qmail not requiring Authentication hamish Linux - Security 14 05-11-2005 09:50 AM
QMail Authentication problems MikeeX Linux - Software 3 08-05-2003 06:55 PM
Qmail and SMTP Authentication miknight Linux - Software 0 01-30-2003 05:03 AM


All times are GMT -5. The time now is 08:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration