cyrus-imap and pam_mysql (very strange, and doesn't want to work!)

Mark Nernberg m at telerama.com
Tue May 25 02:33:36 EDT 2004


I've been hacking at this for quite a bit.  A Google search has turned up
some nice little tidbits, but nothing seems to be working.

I have Cyrus-IMAPD set up, and the mysql auth is funky, to say the least.
It seems that any user with any password can login to the system!  Of
course, only users with actual mailboxes can check anything.

My /etc/pam.d/imap file:

#
# $FreeBSD: src/etc/pam.d/imap,v 1.5 2003/03/08 09:50:11 markm Exp $
#
# PAM configuration for the "imap" service
#


auth sufficient pam_mysql.so user=mail passwd=PASSWORD host=127.0.0.1
db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1
logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host
logpidcolumn=pid logtimecolumn=time

account required pam_mysql.so user=mail passwd=PASSWORD host=127.0.0.1
db=mail table=accountuser usercolumn=username passwdcolumn=password crypt=1
logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host
logpidcolumn=pid logtimecolumn=time


The output of /var/log/messages:

May 25 02:25:34 cougar saslauthd[67928]: pam_sm_authenticate called.
May 25 02:25:34 cougar saslauthd[67928]: dbuser changed.
May 25 02:25:34 cougar saslauthd[67928]: dbpasswd changed.
May 25 02:25:34 cougar saslauthd[67928]: host changed.
May 25 02:25:34 cougar saslauthd[67928]: database changed.
May 25 02:25:34 cougar saslauthd[67928]: table changed.
May 25 02:25:34 cougar saslauthd[67928]: usercolumn changed.
May 25 02:25:34 cougar saslauthd[67928]: passwdcolumn changed.
May 25 02:25:34 cougar saslauthd[67928]: crypt changed.
May 25 02:25:34 cougar saslauthd[67928]: logtable changed.
May 25 02:25:34 cougar saslauthd[67928]: logmsgcolumn changed.
May 25 02:25:34 cougar saslauthd[67928]: logusercolumn changed.
May 25 02:25:34 cougar saslauthd[67928]: loghostcolumn changed.
May 25 02:25:34 cougar saslauthd[67928]: logpidcolumn changed.
May 25 02:25:34 cougar saslauthd[67928]: logtimecolumn changed.
May 25 02:25:34 cougar saslauthd[67928]: db_connect  called.
May 25 02:25:34 cougar saslauthd[67928]: returning 0 .
May 25 02:25:34 cougar saslauthd[67928]: db_checkpasswd called.
May 25 02:25:34 cougar saslauthd[67928]: pam_mysql: where clause =
May 25 02:25:34 cougar saslauthd[67928]: SELECT password FROM accountuser
WHERE username='rls0001'
May 25 02:25:34 cougar saslauthd[67928]: sqlLog called.
May 25 02:25:34 cougar saslauthd[67928]: insert into log (msg, user, host,
pid, time) values('AUTH SUCCESSFUL', 'rls0001', '', '67928', NOW())
May 25 02:25:34 cougar saslauthd[67928]: Returning 0
May 25 02:25:34 cougar saslauthd[67928]: returning 0 .
May 25 02:25:34 cougar saslauthd[67928]: returning 0.
May 25 02:25:34 cougar imap[67927]: login: hlpdsk.dsl.telerama.com
[205.201.9.222] rls0001 plaintext User logged in


The wierd thing is, the password I used for this login was NOT the password
I've assigned to the account!

Fortunately, I'm in the testing-before-deployment phase; this is a serious
potential security issue.


The contents of /etc/imapd.conf:

postmaster: postmaster
configdirectory: /var/imap
partition-default: /var/spool/imap
# admins: cyrus # no admins!
allowanonymouslogin: no
allowplaintext: yes
sasl_mech_list: PLAIN
servername: imap.runningleopard.com
autocreatequota: 10000
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
#dracinterval: 0
#drachost: localhost
sasl_pwcheck_method: saslauthd
#sievedir: /usr/sieve
sendmail: /usr/sbin/sendmail
#sieve_maxscriptsize: 32
#sieve_maxscripts: 5
#unixhierarchysep: yes

The whole auth process seems to be "broken".  Any help would be most
appreciated.


---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list