Amos Gouaux writes:
>
>Perhaps if configure enables PAM support, it could print a warning
>message that for local passwd/shadow access, pwcheck should be used?
It's a little more complicated than that. I don't know if this is
part of the design of PAM, but most programs that do authentication
through PAM run as root. Many of the PAM authentication methods only
work for root, either because a file is readable only by root, or
because they must bind to a privileged socket. Cyrus is the exception
in this regard, which is why PAM often won't work for Cyrus. Linux
PAM has an annoying feature, by the way, where it authenticates the
invoking user rather than the requested user, when invoked by a non-
root user. Solaris PAM will always fail to authenticate in this case.
In general, authentication of users always requires some privileges,
to protect against password guessing attempts. Root is the easiest
way to provide this privilege, although in some cases it can also be
provided by making the shadow file readable by the Cyrus user. So,
you can't expect an authentication function within Cyrus to function
without some way to increase privileges. PAM is a standardized way
to do user authentication on Unix, and it should be supported as widely
as possible to gain its benefits.
As others have said, please keep PAM in Cyrus. Doing it via pwcheck
seems to be the way to go. Hmm, I seem to be agreeing with you.
--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
