Discussion about imap access from multip ... / 2013-03-18

2013-03-18 Discussion about imap access from multip ... 7 years ago
Discussion about imap access from multiple devices made me wonder whether it is possible to set up courier-imapd to accept multiple passwords. I can't tell my android tablet to not keep my imap password, and I don't like it keeping a unix account password that may be able to do more damage. Who knows how secure the storage of passwords is on android.

This is at home, so a setup with ldap with multiple userPassword fields is a bit overkill. But I found the right setup: I changed the pam.d/imap config to have a separate auth setup which allows multiple password sources while the rest of the settings is still default from pam_unix.so. The authdaemonrc config is simple: just use pam.

The new /etc/pam.d/imap:
# PAM configuration file for Courier IMAP daemon

auth    sufficient      pam_unix.so
auth    sufficient      pam_userdb.so db=/etc/courier/extrausers crypt=crypt use_first_pass
auth    required        pam_deny.so
@include common-account
@include common-password
@include common-session
I kept running into errors at first:
Mar 18 20:51:14 greenblatt authdaemond: pam_userdb(imap:auth): user_lookup: could not open database `/etc/courier/extrausers.db': No such file or directory
Until I read pam userdb auth issue (pam_userdb can't open database) vsftpd Sarge - Debian which explains I have to leave out the .db part in the pam_userdb.so config (corrected above). Generating that /etc/courier/extrausers.db file is done in two steps, first I use htpasswd to change/add an account to a user:pass textfile:
root@greenblatt:/etc/courier# htpasswd extrausers koos
New password: 
Re-type new password: 
Updating password for user koos
And to generate the berkeley db file:
root@greenblatt:/etc/courier# awk -F: '{print $1; print $2}' < extrausers | db4.6_load -T -t hash extrausers.db
This converts the username:cryptedpassword file to the format which db4.6_load expects: key and value on alternating lines. It all works when the database file has access mode 0600. This is now in a Makefile:
extrausers.db: extrausers
        awk  -F:  '{print  $$1;  print  $$2}' < extrausers | db4.6_load -T -t hash extrausers.db
        chmod 600 extrausers.db

Now there is a separate password for all devices which insist on keeping the password stored.

Tags: , ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.003947 seconds.