checkpassword-imap: A checkpasswd compatible interface authenticating against an imap server
Last updated on 12 October 2005.
Copyright © 2005 Alberto Ribeiro
[Project Summary]
[Discussion List]
[Downloads]
Project Description
I start this project to permit a Slackware machine authenticating in my simple network using fgetty. This
network have only minimal services. DNS is used to map users and groups
(Hesiod
NSS) and IMAP over SSL is used to authenticate users. This programs doesn't use any configuration file, you
need to configure your DNS to tell where is the IMAP server with the
SRV RR fields or declare a host called "mail" with the IP
of your imap server.
When checkpassword-imap is called, it checks first if a local user exists against passwd and shadow files.
Local users have precedence, and only if this user does not exist, the imap server will be used to check
the credentials. If the user is a network user, the program try to found the IMAP server in this order:
a SRV entry for _imaps._tcp ; a SRV entry for _imaps._tcp ; a host called "mail". After resolv the server,
it connect using SSL (non SSL conection is forbbiden) and checks username and password. Note: no certification
file is used to check the server authenticity, so you need to protect your DNS.
This program doesn't cache the credentials, so it's slow to use in servers. It's developed to use only with
fgetty.
License
Checkpassword-imap code is released under GNU license,
due lots of GNU code used from the code of isynclib found inside
pam_imap. The IMAP server resolver code was stollen
from the smaller SRV parser of Columbia University
(unknow license) and the rest was stolen from fgetty's checkpassword,
also GPLd code.
I just glued all this pieces.
Installation and execution
This package is intended to use with fgetty, so first find a fgetty package for your distribution. You
also need openssl libraries installed.
After fgetty instalation, you can install checkpassword-imap. On redhat FC4, install the package and
create a symbolic link from checkpassword to checkpassword-imap. On Slackware, download the source and
compile. Convert the rpm package will not work because openssl libraries have diferent names on each
distribution.
With all packages in the right place, you need to configure your inittab to use fgetty instead other
getty (see fgetty docs) and configure your DNS to inform the imap server with SRV RR fields or just call
you imap server as "mail" (this can also be done in /etc/hosts). Bellow an example of a line from bind
configuration file (zone domain: intranet) telling the SRV field:
_imaps._tcp SRV 0 0 993 imaps1.intranet.
Bugs
I'm using this toll on a Slackware 10.1 with fgetty and works for me. If you find some bug, please use
the maillist.
TODO for version 2.0
Create some documentation and some graphical login alternatives using checkpassword.