Re: PAM pwcheck method ?

Subject: Re: PAM pwcheck method ?
From: Etienne Goyer (etienne dot goyer at linuxquebec dot com)
Date: Thu May 08 2003 - 11:21:25 EDT

By error, I replied directly to M. Siemborski instead of the list. I am
reposting my reply to the list in case someone would like to discuss
further on the issue.

On Tue, May 06, 2003 at 12:49:03PM -0400, Rob Siemborski wrote:
> On Tue, 6 May 2003, Etienne Goyer wrote:
> > I had been discussing outside the list with Michael Bacon of Duke
> > about
> > similar problems he had and he sent me a patch to add PAM as a
> > pwcheck
> > method to Cyrus-SASL. The patch applied and compiled without any
> > problem. My preliminary test where satisfying; the performance was
> > correct and there was no leak or instability that I could find.
> If you are able to use PAM successfully, why not just use PAM via
> saslauthd?

I forgot to mention that I did try saslauthd with pam. It leak memory
too, but I have not investigated it yet.

> Duplicating code in saslauthd and in the library is silly, and there
> is
> not reason to swell the library with code that is at a disadvantage if
> it
> is not within a single (or small number) of processes (think LDAP
> connection cacheing, for example).

I can understand the necessity to keep a thight codebase. However, some
circumstance might call for more flexibility. PAM, on platform that
support it, expose mechanism that might not be supported by SASL thus
providing extended functionnality. For setup that can benefit from
credentials or connections cacheing, the option of using saslauthd stay
there. In my case, I would gladly forfeit cacheing benefit for a setup
that don't leak.

> Additionally, often times authentication and password verification
> needs
> to run at a higher privledge level than the rest of the code, and
> isolating it into a separate process is a useful security measure.

I am not a very experienced Unix system programmer, but I thought this
was exactly the point of PAM : to provide authentication service to
unpriviledged program. At least, when compiled against a patched SASL
library, Cyrus imapd running as the unpriviledged cyrus user gladly
authenticate against PAM.

In the end, I know my requirements do not dictate Cyrus SASL
developpement agenda, but I am stuck with either of two unsavory
solution : install a crontab that will restart saslauthd every hour or
depend on a patch that may or may not work with future version of the
SASL librairy.

The only real downside of supporting PAM as a pwcheck method seem to be
code duplication. For the added benefit, I think it would be worth it.


Etienne Goyer                    Linux Québec Technologies Inc.       etienne dot goyer at linuxquebec dot com

Hosted Email Solutions

Invaluement Anti-Spam DNSBLs

Powered By FreeBSD   Powered By FreeBSD