[Dovecot] Looking for a good way to manage passwords for CRAM-MD5

Steinar Bang sb at dod.no
Wed May 15 23:44:14 EEST 2013 

>>>>> Steinar Bang <sb at dod.no>:
>>>>> Professa Dementia <professa at dementianati.com>:

>>> There are plugins that allow you to call some glue logic (Perl,
>>> Python, shell scripts, etc) which enables you to interface to pretty
>>> much any method (SQL, LDAP, shadow files, etc) you have chosen to
>>> save passwords - that is, as long as you are capable of writing the
>>> glue logic yourself.

[snip! PAM modules in perl and python]
> However, I'm not really all that familiar with Python, so it may just be
> simpler to write a module in C or C++.  Here are three articles that
> look like they might be useful to accomplish this.
>  http://www.linuxdevcenter.com/pub/a/linux/2002/05/02/pam_modules.html
>  http://www.linuxdevcenter.com/pub/a/linux/2002/05/23/pam_modules.html
>  http://www.linuxdevcenter.com/pub/a/linux/2002/05/30/pam_modules.html

> (The articles are 11 years old, though, so they may be a bit out of
> date)

The articles weren't all that helpful really.  They missed the most
important part: a simple example showing all of the parts that take
place in a module.

But anyway, here is a PAM module, written in ANSI C/POSIX, that will
hook into a password change in PAM, and use the password change to
update a CRAM-MD5 coded version of the same password, in the file
"/etc/dovecot/cram-md5.pwd" (currently hardcoded).
   https://github.com/steinarb/pam_dovecotmd5pwd

Some PAM module basics:

 1. #define the roles your module will have.  My module only hooked into
    password changes, so I only have the line:
     #define PAM_SM_PASSWORD
 2. Include the pam_modules.h file (Note: this must be _after_ the
    #defines that defines the roles
 3. Implement the method(s) for the roles you you have #define'd (I have
    only one)
 4. Inside "#ifdef PAM_STATIC" define a struct that will hold the name
    of the module, and function pointers to all the implemented
    methods.  This struct is used if all of the PAM modules are linked
    statically into a single binary

Hm... here was actually a good example of a module that hooks into all
roles and return "ignore" on all of them:
 http://www.rkeene.org/projects/info/wiki/222

More information about the dovecot mailing list