• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

Makefile.amH A D18-Feb-20221.3 KiB336

Makefile.inH A D18-Feb-202223.4 KiB752640

READMEH A D18-Feb-20221.6 KiB4632

pwcheck.cH A D18-Feb-20226.6 KiB275180

pwcheck_getpwnam.cH A D18-Feb-20222.4 KiB7425

pwcheck_getspnam.cH A D18-Feb-20222.3 KiB6921

README

1Pwcheck is a daemon for permitting the SASL library to check passwords
2against the shadow password database.
3
4To use:
5
6* Configure the Cyrus SASL library with the "--with-pwcheck" switch.
7
8* Compile and install the Cyrus SASL library software
9
10* Create the directory "/var/pwcheck" and make it readable by only
11those users who need to be able to verify passwords.  For instance, if
12you wish to use pwcheck with Cyrus imapd:
13
14	mkdir /var/pwcheck
15	chown cyrus /var/pwcheck
16	chmod 700 /var/pwcheck
17
18* Configure your applications to use "pwcheck_method: pwcheck". For
19  example, if you are using this with the Cyrus IMAP server, you can
20  put in the imapd.conf the following line:
21
22	sasl_pwcheck_method: pwcheck
23
24  or for an application that doesn't overload its configuration file,
25  you could put the following line in its configuration file located
26  in /usr/lib/sasl (e.g. /usr/lib/<app_name>.conf):
27
28  	pwcheck_method: pwcheck
29
30* Upon system startup, arrange for the daemon $prefix/sbin/pwcheck
31to be run as root in the background.
32
33How it works:
34
35The Cyrus servers connect to the unix-domain socket
36/var/pwcheck/pwcheck to send a potential user's userid and password to
37the pwcheck daemon.  The pwcheck daemon uses its root privileges to
38verify the userid and password against the shadow password database.
39The pwcheck daemon then returns an error message or "OK" to the Cyrus
40server and closes the unix-domain connection.
41
42The permissions on the /var/pwcheck directory control who can connect
43to the pwcheck daemon.  The pwcheck daemon is not designed to deal
44with denial-of-service attacks from its clients, so the directory
45should be restricted to trustworthy server processes.
46