pam+cyrus failed to authenticate

Jeremy Rumpf jrumpf at heavyload.net
Tue Nov 16 12:12:10 EST 2004 

On Tuesday 16 November 2004 03:13 am, sam wun wrote:
> Simon Matter wrote:
> >>Hi,
> >>
> >>I got cyrus-imap2.2 and cyrus-sasl2.1.20 with saslauthd2 compiled in
> >>FreeBSD 5.3.
> >>I can successfully login with the following cyradm command:
> >># cyradm -u cyrus --server gateway.mydom.com --auth plain
> >>Password:
> >>IMAP Password:
> >>            gateway.mydom.com>
> >>The log corresponding to the above cyradm command is:
> >>
> >>Nov 16 06:06:43 gateway imap[73636]: badlogin: gateway.mydom.com
> >>[192.168.4.88] PLAIN [SASL(-16): encryption needed to use mechanism:
> >>security flags do not match required]
> >>Nov 16 06:06:46 gateway perl: No worthy mechs found
> >>Nov 16 06:06:50 gateway imap[73636]: login: gateway.mydom.com
> >>[192.168.4.88] cyrus plaintext User logged in
> >>
> >>I can see there is some problem here eventhought cyradm login
> >>successfully, but the second log message indicated that cyrus is logged
> >>in.
> >>Then, I also added bob at mydom.com user account using the cyradm admin
> >>shell.
> >>
> >>I further test the cyrus server by adding user at domain.com to the
> >>imap.password file:
> >>pwadd -a bob at mydom.com
> >
> >I'm not sure this will work. IIRC with pam the you have to use 'saslauth
> >-r' to make it not remove everything behind @.
>
> Thanks, it works from external mail client (mozilla).
> The log msg is:
> Nov 16 07:32:06 gateway imap[73957]: login: [192.168.4.235]
> abc.xyz at mydom.com plaintext User logged in
>
> But the following imtest command failed when I test it in the gateway as
> root:
> imtest -m plaintext -v -a bob at mydom.com
> The error log is:
> Nov 16 07:30:17 gateway imap[73953]: badlogin: localhost.mydom.com [::1]
> PLAIN [SASL(-16): encryption needed to use mechanism: security flags do
> not match required]
>
> Thanks
> Sam
>
> >Simon
> >
> >># cat imap.passwd
> >>abc.xyz at mydom.com:$1$OxTrXXu7$SPv0UCpp4BuyFGy6uQkBn1
> >>cyrus:$1$EUHsnXCc$qpuk26X8VPQnIifMbnap6.
> >>bob at mydom.com:$1$3gb6Wviv$0zrfF91CdEd3IlI7c62QQ1
> >>
> >>But imtest failed with the following message:
> >>
> >>Nov 16 06:05:16 gateway saslauthd[73020]: user not found in password
> >>database
> >>Nov 16 06:05:16 gateway imap[73621]: badlogin: gateway.mydom.com
> >>[192.168.4.88] plaintext bob at mydom.com SASL(-13): authentication
> >>failure: checkpass failed
> >>
> >>I searched google, but found not much useful information.
> >>Can anyone tell me how to fix this problem?
> >>
> >>I have saslauthd started with -a pam.
> >>imapd.conf is defined with the option:
> >>sasl_pwcheck_method: saslauthd
> >>
> >>Thanks
> >>Sam


If you're using saslauthd to handle your passwords then cyrus/sasl can only 
accept plain text mechanisms. MD5, OTP, etc. will not work since sasl needs 
the plaintext password in order to pass off to saslauthd for authentication. 
Because of this, you should do the final connect (once you get it working) 
with some sort of SSL/TLS support.

First thing, saslauthd runs as root. This is to provide separation of a 
privileged password checker to a non privileged process.

so chown root:root /usr/local/etc/imap.passwd
chmod 640 /usr/local/etc/imap.passwd

In your imapd.conf

sasl_pwcheck_method: saslauthd
sasl_minimum_layer: 0
sasl_maximum_layer: 1
sasl_mech_list: PLAIN LOGIN

Then as root from a terminal, startup saslauthd in debug mode:

saslauthd -d -r -a pam

In another terminal:

imtest -m login -v -a bob at mydom.com -u bob at mydom.com

And report back.

Jeremy

More information about the Info-cyrus mailing list