pam support in sasl2

Matt Selsky selsky at columbia.edu
Wed Dec 11 16:13:28 EST 2002 

This patch to auth_pam.c allows me to authenticate using pam and
saslauthd.  The sasl pam code seems to try to use the PAM_SILENT flag to
tell the pam module that it doesn't need to prompt for the password.  I 
don't think this is standard, but I could be wrong.  Anyways, I'm told 
that pam code needs to use pam_set_item to stuff the password in the 
right place.

$ diff -u auth_pam.c.orig auth_pam.c
--- auth_pam.c.orig     Mon Mar 11 09:52:59 2002
+++ auth_pam.c  Wed Dec 11 16:04:30 2002
@@ -205,6 +205,13 @@
 
     my_appdata.pamh = pamh;
 
+    rc = pam_set_item(pamh, PAM_AUTHTOK, password);
+    if (rc != PAM_SUCCESS) {
+       syslog(LOG_DEBUG, "DEBUG: auth_pam: pam_set_item failed: %s",
+              pam_strerror(pamh, rc));
+       RETURN("NO PAM set_item error");
+    }
+
     rc = pam_authenticate(pamh, PAM_SILENT);
     if (rc != PAM_SUCCESS) {
        syslog(LOG_DEBUG, "DEBUG: auth_pam: pam_authenticate failed: %s",


I also set 'use_first_pass' in /etc/pam.conf so my pam module knows not 
to use the conversation routine.

On Wed, Dec 11, 2002 at 01:45:33PM -0500, Matt Selsky wrote:
> I have been using sasl-1.5.27 with sendmail-8.12.3 (using PAM 
> authentication and the PLAIN mechanism).
> 
> Now I'm trying to get sasl-2 going since I'm trying to set up a 
> cyrus-imapd installation.  However, I've noticed some differences in the 
> PAM support.  I built sasl2 with PAM support and without saslauthd.  
> None of the binaries or libraries seem to link against libpam.so  Isn't 
> that necessary?  In sasl1, libsasl.so is linked against libpam.  When I 
> try to use the sample client/server, I get messages like this in syslog:
> 
> Dec 11 11:41:37 lisbon server[5313]: [ID 702911 auth.error] unknown password verifier 
> Dec 11 11:41:37 lisbon server[5313]: [ID 702911 auth.notice] Password verification failed
> 
> sample.conf contains this:
> 
> pwcheck_method: PAM
> 
> 
> Does sasl2 support PAM auth directly?  Do I need to run saslauthd?
> 
> When I built saslauthd, it did link against libpam, but I didn't have
> any more luck getting it to authenticate.  testsaslauthd says 'size read
> failed' when I try to authenticate and saslauthd core dumps.  This is
> the backtrace from gdb:
> 
> (gdb) bt
> #0  0x00011778 in saslauthd_pam_conv (num_msg=1, msg=0xffbfe968, resp=0xffbfe96c, appdata_ptr=0x0)
>     at ../../../src/saslauthd/auth_pam.c:112
> #1  0xff014350 in pam_sm_chauthtok () from /usr/lib/security/pam_krb54.so.1
> #2  0xff013d2c in pam_sm_authenticate () from /usr/lib/security/pam_krb54.so.1
> #3  0xff312a54 in pam_authenticate () from /usr/lib/libpam.so.1
> #4  0x00011904 in auth_pam (login=0x0, password=0xffbfeec0 "notmypass", service=0xffbfedb8 "smtp", realm=0xffbfecb0 "")
>     at ../../../src/saslauthd/auth_pam.c:208
> #5  0x00013524 in do_request (in=151552, out=7) at ../../../src/saslauthd/saslauthd-unix.c:756
> #6  0x00013194 in main (argc=3, argv=0xffbff374) at ../../../src/saslauthd/saslauthd-unix.c:621
> 
> And I get this in syslog:
> 
> Dec 11 13:16:42 lisbon saslauthd[12193]: [ID 206863 auth.error] FATAL: no authentication mechanism specified
> 
> I added 'use_first_pass' to my pam.conf to tell it to use the password
> that the pam call supplies instead of prompting for the password and the
> core dumping stops.  I'm still having problems authenticating, but I 
> think it might be my pam config since I'm getting '0: NO "authentication 
> failed" now.

More information about the Info-cyrus mailing list