Support a poor college student!
"Will code for food... or beer."
This is a
PAM
module that authenticates a user login against a remote IMAP or
IMAPS server. The module supports a server rollover, so a list of
servers can be successively queried if the previous server is down.
With a bit of PAM configuration
hacking, it will also work with other modules to allow logins to be
authenticated
locally and / or remotely with IMAP on the same system.
pam-imap features:
-- User BlockList: Allows
pam-imap to ignore authenticating users such as 'root', 'apache', and
others.
-- Password caching: Possibly usefull in situations where network
connections are slow, or server loads are high. Has a few
security risks however. Checkout the README file for more info.
-- Support for username@domain.com
style logins. With Micro$oft style IMAP servers, the "@domain.com"
can be appended to the UNIX username for easy compatability.
-- Customizable "Password: " string... You could change it to anything! Maybe, "IMAP
Password: " The possibilities are endless.
Examples of recommended use:
1) A lab of UNIX/Linux machines that
would require an easily accessible password database from an IMAP server
2) Authenticating users against a
centralized password server that you have no control over, and it
conveniently has an IMAP server. (The arms-tied-behind-your-back
scenario)
3) Authenticating with applications that do not run as root.
(Apache is a good example -- read user-testimonials below)
4) An IMAP cluster authentication relay -- pam-imap can be used
for a cheap IMAP cluster solution. Have one or two master IMAP
servers that have a username/password database (be it LDAP,
shadow, etc) and an IMAP server. Have several cluster node
servers to handle the bandwidth of client requests
, and use pam-imap on each
node to authenticate against the master server(s). (The
node machines will use pam-imap in their 'imap' service file)
Tie everything together with round-robin DNS and NFS
mail folders, and you have yourself an IMAP cluster!
5) ??? (Help me brainstorm some more here)
Here are some comments posted to the pam-imap mailing list:
"
In order to set up dspam's CGI [in
Apache], I needed a way to authenticate users
with HTTP auth. I do not want
to run the web server as root. pam-imap
made it a snap to solve this problem."
-- Neale Pickett
For Apache to authenticate with PAM, (more specifically, pam_unix.so)
it needs
read access to the
/etc/shadow file, which is a horrible security hole. With
pam-imap, one can run an IMAP server locally, and authenticate Apache
with pam-imap locally. Although this is still a bit of a hack, it
adds a layer of obscurity from requiring root access. imapd must
be run as root, but it can easily be firewalled.
"I work for a big University (60k pupils), in Seville, Spain.
We only have a public MX.
All mail that gets in or out of the
university goes through [the MX]. We use pam-imap
to authenticate smtp-auth with checkpassword-pam & qmail.
We have implemented
pam-imap with perdition mail retrieval proxy
for a "poor's man ldap".
We
can authenticate 50,000 users using [50] different imap(s) servers.
Thank you for developing pam_imap !!! :-) "
-- Javier de Miguel RodrÃguez
Read recommended use #4 for a brief description of this setup.
If you would like to know more about this implementation,
search the mailing list
or
join the list to ask questions!
This project is mainly the result of a project for
Minnesota State University-Moorhead's
Computer Science Dept.
Questions, comments, and any help: Please join the
mailing
list or just shoot an email to
pam-imap-help@lists.sourceforge.net
This project is licensed GPL
Project Admin:
Cal
Heldenbrand