pam support in sasl2

Matt Selsky selsky at columbia.edu
Wed Dec 11 13:45:33 EST 2002 

I have been using sasl-1.5.27 with sendmail-8.12.3 (using PAM 
authentication and the PLAIN mechanism).

Now I'm trying to get sasl-2 going since I'm trying to set up a 
cyrus-imapd installation.  However, I've noticed some differences in the 
PAM support.  I built sasl2 with PAM support and without saslauthd.  
None of the binaries or libraries seem to link against libpam.so  Isn't 
that necessary?  In sasl1, libsasl.so is linked against libpam.  When I 
try to use the sample client/server, I get messages like this in syslog:

Dec 11 11:41:37 lisbon server[5313]: [ID 702911 auth.error] unknown password verifier 
Dec 11 11:41:37 lisbon server[5313]: [ID 702911 auth.notice] Password verification failed

sample.conf contains this:

pwcheck_method: PAM


Does sasl2 support PAM auth directly?  Do I need to run saslauthd?

When I built saslauthd, it did link against libpam, but I didn't have
any more luck getting it to authenticate.  testsaslauthd says 'size read
failed' when I try to authenticate and saslauthd core dumps.  This is
the backtrace from gdb:

(gdb) bt
#0  0x00011778 in saslauthd_pam_conv (num_msg=1, msg=0xffbfe968, resp=0xffbfe96c, appdata_ptr=0x0)
    at ../../../src/saslauthd/auth_pam.c:112
#1  0xff014350 in pam_sm_chauthtok () from /usr/lib/security/pam_krb54.so.1
#2  0xff013d2c in pam_sm_authenticate () from /usr/lib/security/pam_krb54.so.1
#3  0xff312a54 in pam_authenticate () from /usr/lib/libpam.so.1
#4  0x00011904 in auth_pam (login=0x0, password=0xffbfeec0 "notmypass", service=0xffbfedb8 "smtp", realm=0xffbfecb0 "")
    at ../../../src/saslauthd/auth_pam.c:208
#5  0x00013524 in do_request (in=151552, out=7) at ../../../src/saslauthd/saslauthd-unix.c:756
#6  0x00013194 in main (argc=3, argv=0xffbff374) at ../../../src/saslauthd/saslauthd-unix.c:621

And I get this in syslog:

Dec 11 13:16:42 lisbon saslauthd[12193]: [ID 206863 auth.error] FATAL: no authentication mechanism specified

I added 'use_first_pass' to my pam.conf to tell it to use the password
that the pam call supplies instead of prompting for the password and the
core dumping stops.  I'm still having problems authenticating, but I 
think it might be my pam config since I'm getting '0: NO "authentication 
failed" now.

More information about the Info-cyrus mailing list