cyrus, pam: is there a bug in cyrus when using pwcheck()?

Dustin Puryear Sun, 05 May 2002 23:03:07 -0700

Okay, I got imap logins working via pam, but not pop3. Weird, I know, but I 
tried the service names 'pop', 'pop3', 'pop3d', and 'cyrus', and I couldn't 
get pop3 logins working. Yet, imap worked just fine with the service name 
'imap'. At some point I just have to give up on this one with Cyrus..


BTW, here are the first lines of each pam entry:

imap auth sufficient pam_mysql.so user=mail passwd=secret \
imap account required pam_mysql.so user=mail passwd=secret \
pop auth sufficient pam_mysql.so user=mail passwd=secret \
pop account required pam_mysql.so user=mail passwd=secret \
pop3 auth sufficient pam_mysql.so user=mail passwd=secret \
pop3 account required pam_mysql.so user=mail passwd=secret \
pop3d auth sufficient pam_mysql.so user=mail passwd=secret \
pop3d account required pam_mysql.so user=mail passwd=secret \
cyrus auth sufficient pam_mysql.so user=mail passwd=secret \
cyrus account required pam_mysql.so user=mail passwd=secret \

So, now I'm trying pwcheck_pam. Okay, great, imap works again, but pop3 
doesn't! No! To debug this a bit I added some logging to pwcheck_pam.c, and 
it appears that pwcheck *is* in fact reporting to cyrus that the login 
information is correct. Yet, cyrus continues to fail the login on pop3, but 
allow imap.

Please view the bottom of this email to see where I added debug output to 
pwcheck(). I also added a bit of debugging output to pwcheck.c.

So, let's try to authenticate against imap:

[dpuryear@dpbox dpuryear]$ telnet freebsd 143
Trying 192.168.0.35...
Connected to freebsd.
Escape character is '^]'.
* OK freebsd.dpbox.dhs.org Cyrus IMAP4 v2.0.16 server ready
a0001 login dom0001 password
a0001 OK User logged in

pwcheck() output:

May  4 21:17:13 freebsd pwcheck: pwcheck(dom0001, password)
May  4 21:17:13 freebsd pwcheck: 1PAM_SUCCESS = 0
May  4 21:17:13 freebsd pwcheck: 1pam_error = 0
May  4 21:17:13 freebsd pwcheck: 2pam_error = 0
May  4 21:17:13 freebsd pwcheck: 3pam_error = 0
May  4 21:17:13 freebsd pwcheck: 4pam_error = 0

Notice that pwcheck() succeeds here. So, let's try pop3:

[dpuryear@dpbox dpuryear]$ telnet freebsd 110
Trying 192.168.0.35...
Connected to freebsd.
Escape character is '^]'.
+OK <[EMAIL PROTECTED]> Cyrus POP3 v2.0.16 server 
ready
user dom0001
+OK Name is a valid mailbox
pass password
-ERR Invalid login

Hmm, 'Invalid login'. Must be a bad password, right?

May  4 21:35:34 freebsd pwcheck: pwcheck.c: reply=pwcheck..
May  4 21:35:34 freebsd pwcheck: pwcheck(dom0001, password)
May  4 21:35:34 freebsd pwcheck: 1PAM_SUCCESS = 0
May  4 21:35:34 freebsd pwcheck: 1pam_error = 0
May  4 21:35:34 freebsd pwcheck: 2pam_error = 0
May  4 21:35:34 freebsd pwcheck: 3pam_error = 0
May  4 21:35:34 freebsd pwcheck: 4pam_error = 0
May  4 21:35:34 freebsd pwcheck: reply = OK

Apparently not. pwcheck() reports PAM_SUCCESS and returns reply = "OK". So, 
let's see what happens if I enter a bad password:

May  4 21:37:24 freebsd pwcheck: pwcheck.c: reply=pwcheck..
May  4 21:37:24 freebsd pwcheck: pwcheck(dom0001, slkdjf)
May  4 21:37:24 freebsd pwcheck: 1PAM_SUCCESS = 0
May  4 21:37:24 freebsd pwcheck: 1pam_error = 0
May  4 21:37:24 freebsd pwcheck: 2pam_error = 6
May  4 21:37:24 freebsd pwcheck: 3pam_error = 6
May  4 21:37:24 freebsd pwcheck: 4pam_error = 6
May  4 21:37:24 freebsd pwcheck: reply = Incorrect passwd

Looks like pwcheck() is working. Is this a bug in Cyrus or something else 
entirely? I am working with cyrus-sasl-1.5.27.

The edited pwcheck():

char *pwcheck(char *username, char *password)
{
   pam_handle_t *pamh;
   int pam_error;

   syslog(LOG_DEBUG, "pwcheck(%s, %s)", username, password);
   syslog(LOG_DEBUG, "1PAM_SUCCESS = %d\n", PAM_SUCCESS);

   /* PAM only handles authentication, not user information. */
   if ( !(username && password && strlen(username) && strlen(password)) )
       return "Incorrect username";

   /* validate password */

   PAM_password = password;
   PAM_username = username;
   fprintf(stderr, "checking %s\n", username);
   pam_error = pam_start("cyrus", username, &PAM_conversation, &pamh);

   syslog(LOG_DEBUG, "1pam_error = %d\n", pam_error);

   if (pam_error == PAM_SUCCESS)
     pam_error = pam_authenticate(pamh, 0);
   syslog(LOG_DEBUG, "2pam_error = %d\n", pam_error);

   if (pam_error == PAM_SUCCESS)
     pam_error = pam_acct_mgmt(pamh, 0);
   syslog(LOG_DEBUG, "3pam_error = %d\n", pam_error);

   if ( pam_error == PAM_SUCCESS)
     fprintf(stderr, "\tauthenticated %s\n", username);
   else
     fprintf(stderr, "\tfailed to authenticate %s\n", username);

   if(pam_end(pamh, pam_error) != PAM_SUCCESS) {
     pamh = NULL;
     fprintf(stderr, "pwcheck: failed to release authenticator\n");
     exit(1);
   }
   syslog(LOG_DEBUG, "4pam_error = %d\n", pam_error);
   return ( pam_error == PAM_SUCCESS ? "OK" : "Incorrect passwd" );
}

Regards, Dustin

---
Dustin Puryear <[EMAIL PROTECTED]>
UNIX and Network Consultant
http://members.telocity.com/~dpuryear
PGP Key available at http://www.us.pgp.net
In the beginning the Universe was created.
This has been widely regarded as a bad move. - Douglas Adams

cyrus, pam: is there a bug in cyrus when using pwcheck()?

Reply via email to