2013-03-18
Discussion about imap access from multip ...
Discussion about imap access from multiple devices made me wonder whether it is possible to set up courier-imapd to accept multiple passwords. I can't tell my android tablet to not keep my imap password, and I don't like it keeping a unix account password that may be able to do more damage. Who knows how secure the storage of passwords is on android. This is at home, so a setup with ldap with multiple userPassword fields is a bit overkill. But I found the right setup: I changed the pam.d/imap config to have a separate auth setup which allows multiple password sources while the rest of the settings is still default from pam_unix.so. The authdaemonrc config is simple: just use pam. The new /etc/pam.d/imap:# PAM configuration file for Courier IMAP daemon auth sufficient pam_unix.so auth sufficient pam_userdb.so db=/etc/courier/extrausers crypt=crypt use_first_pass auth required pam_deny.so @include common-account @include common-password @include common-sessionI kept running into errors at first:Mar 18 20:51:14 greenblatt authdaemond: pam_userdb(imap:auth): user_lookup: could not open database `/etc/courier/extrausers.db': No such file or directoryUntil I read pam userdb auth issue (pam_userdb can't open database) vsftpd Sarge - Debian which explains I have to leave out the .db part in the pam_userdb.so config (corrected above). Generating that /etc/courier/extrausers.db file is done in two steps, first I use htpasswd to change/add an account to a user:pass textfile:root@greenblatt:/etc/courier# htpasswd extrausers koos New password: Re-type new password: Updating password for user koosAnd to generate the berkeley db file:root@greenblatt:/etc/courier# awk -F: '{print $1; print $2}' < extrausers | db4.6_load -T -t hash extrausers.dbThis converts the username:cryptedpassword file to the format which db4.6_load expects: key and value on alternating lines. It all works when the database file has access mode 0600. This is now in a Makefile:extrausers.db: extrausers awk -F: '{print $$1; print $$2}' < extrausers | db4.6_load -T -t hash extrausers.db chmod 600 extrausers.dbNow there is a separate password for all devices which insist on keeping the password stored.