[Dovecot] SSL Certifcates
Stephen Feyrer
steve at toth.org.uk
Sat Aug 9 00:06:10 EEST 2008
Hi Timo.
Thanks, I will persevere. I would like to point out that I'm only using
PAM as it seems the best way to get email to system users. I am open
to another method that might work.
This was my pam.d/imap file
# Provided by mailbase (dont remove this line!)
# Standard pam.d file for mail service packages.
# $Header:
/var/cvsroot/gentoo-x86/net-mail/mailbase/files/common-pamd-include,v
1.1 2005/04/29 13:07:50 ticho Exp $
auth required pam_nologin.so
auth include system-auth
account include system-auth
session include system-auth
My pam.d/imap file now looks like this.
# Provided by mailbase (dont remove this line!)
# Standard pam.d file for mail service packages.
# $Header:
/var/cvsroot/gentoo-x86/net-mail/mailbase/files/common-pamd-include,v
1.1 2005/04/29 13:07:50 ticho Exp $
#auth required pam_nologin.so
auth required pam_allow.so
auth include system-auth
account include system-auth
session include system-auth
This fails the authentication.
While it looks like this it also fails authentication. (I just thought
I'd give it a go.)
# Provided by mailbase (dont remove this line!)
# Standard pam.d file for mail service packages.
# $Header:
/var/cvsroot/gentoo-x86/net-mail/mailbase/files/common-pamd-include,v
1.1 2005/04/29 13:07:50 ticho Exp $
auth required pam_nologin.so
auth required pam_allow.so
auth include system-auth
account include system-auth
session include system-auth
--
kind regards
Stephen.
Timo Sirainen wrote:
> On Aug 7, 2008, at 5:33 PM, Stephen Feyrer wrote:
>
>> Timo Sirainen wrote:
>>> On Aug 7, 2008, at 2:49 PM, Stephen Feyrer wrote:
>>>> Hi anyone.
>>>>
>>>> Can dovecot be configured to authenticate user using only SSL
>>>> Certificates only and not ask for a password.
>>>>
>>>> So far I've got it taking the username from the common name of the
>>>> certificate but I like it to use the certificate in place of the
>>>> password.
>>>>
>>>> Is this possible and how?
>>> If you're that far, then you're already authenticating the user
>>> against the certificate. Or assuming you have
>>> ssl_require_client_cert=yes. Then just create a passdb that accepts
>>> any password as valid for the user (nopassword=yes extra field).
>>> In theory there's also this EXTERNAL SASL mechanism that could be
>>> used to log in without user/pass, but Dovecot doesn't currrently
>>> support that and I'm not aware of any clients supporting it either.
>>
>> Hi Timo.
>>
>> I have authenticating user against the certificate as you say and do
>> have ssl_require_client_cert=yes.
>>
>> I'm using PAM to authenticate against my user database at the moment.
>> I'm still baffled... :)
>
> If you only want to allow users to log in with certificates, then just
> change the PAM configuration file to be something like (not tested, and
> my PAM knowledge isn't too good):
>
> auth required pam_allow.so
>
> Although it would be nice to be able to verify that the user still
> exists, but you could do that with certificate revocation lists also..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3309 bytes
Desc: S/MIME Cryptographic Signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20080808/2c824e57/attachment-0001.bin
More information about the dovecot
mailing list