Discussion about imap access from multip ... / 2013-03-18

2013-03-18 Discussion about imap access from multip ... 7 years ago
Discussion about imap access from multiple devices made me wonder whether it is possible to set up courier-imapd to accept multiple passwords. I can't tell my android tablet to not keep my imap password, and I don't like it keeping a unix account password that may be able to do more damage. Who knows how secure the storage of passwords is on android.

This is at home, so a setup with ldap with multiple userPassword fields is a bit overkill. But I found the right setup: I changed the pam.d/imap config to have a separate auth setup which allows multiple password sources while the rest of the settings is still default from pam_unix.so. The authdaemonrc config is simple: just use pam.

The new /etc/pam.d/imap:
# PAM configuration file for Courier IMAP daemon

auth    sufficient      pam_unix.so
auth    sufficient      pam_userdb.so db=/etc/courier/extrausers crypt=crypt use_first_pass
auth    required        pam_deny.so
@include common-account
@include common-password
@include common-session
I kept running into errors at first:
Mar 18 20:51:14 greenblatt authdaemond: pam_userdb(imap:auth): user_lookup: could not open database `/etc/courier/extrausers.db': No such file or directory
Until I read pam userdb auth issue (pam_userdb can't open database) vsftpd Sarge - Debian which explains I have to leave out the .db part in the pam_userdb.so config (corrected above). Generating that /etc/courier/extrausers.db file is done in two steps, first I use htpasswd to change/add an account to a user:pass textfile:
root@greenblatt:/etc/courier# htpasswd extrausers koos
New password: 
Re-type new password: 
Updating password for user koos
And to generate the berkeley db file:
root@greenblatt:/etc/courier# awk -F: '{print $1; print $2}' < extrausers | db4.6_load -T -t hash extrausers.db
This converts the username:cryptedpassword file to the format which db4.6_load expects: key and value on alternating lines. It all works when the database file has access mode 0600. This is now in a Makefile:
extrausers.db: extrausers
        awk  -F:  '{print  $$1;  print  $$2}' < extrausers | db4.6_load -T -t hash extrausers.db
        chmod 600 extrausers.db

Now there is a separate password for all devices which insist on keeping the password stored.

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.54 2020/12/31 15:36:31 koos Exp $ in 0.005446 seconds.