Skip to content

Latest commit

 

History

History
227 lines (156 loc) · 7.46 KB

README.rst

File metadata and controls

227 lines (156 loc) · 7.46 KB

pam-imap for 2017+

This is an updated version of pam_imap 0.3.8, taken from http://pam-imap.sourceforge.net/. See README.original for the original readme.

These files were mostly updated last in 2003, 2004 and imap.c in 2009. These edits might make it work in 2017 again.

This fork fix compile and linking issues on Ubuntu 16.04.

Changes

  • Compile & linking fixes
  • New example configs for Ubuntu (original were for CentOS/RHEL)
  • Cleaner config file
  • Changed default config file location to /etc/pam_imap.conf

See also:

Compiling

Debian install prerequisites: libpam0g-dev libssl-dev libgdbm-dev dh-autoreconf

$ sudo apt-get install libpam0g-dev libssl-dev libgdbm-dev dh-autoreconf
$ ./bootstrap
$ ./configure CPPFLAGS=-DVERIFY_CERT
$ make

> Note: > To disable server certificate check, ommit -DVERIFY_CERT flag

Compiling with debug info

$ ./bootstrap
$ ./configure CPPFLAGS=-DVERIFY_CERT --with-debug=yes
$ make

Building a Debian package with gbp:

$ git clean -xf
$ gbp buildpackage -us -uc -sa --git-debian-branch=master --git-upstream-tag='v%(version)s' --git-ignore-new

Install & Setup

  • Copy files
$ sudo cp pam_imap.so /lib/*/security  (/lib/x86_64-linux-gnu/security)
$ sudo cp conf/pam_imap.conf /etc/
$ sudo wget -O /etc/ssl/certs/cacert.pem https://curl.haxx.se/ca/cacert.pem
  • Modify /etc/pam_imap.conf
Example pam_imap.conf:

    PAM_PasswordString = Password:
    CertificateFile /etc/ssl/certs/cacert.pam
    PAM_Server0 = imaps:imap.gmail.com:993
    PAM_Domain = gmail.com
    PAM_BlockList = root, admin, Administrator, apache
    PAM_HashEnable = no
    PAM_HashFile = /etc/pam_imap.gdbm
    PAM_HashDelta = 20
  • Modify PAM configuration in /etc/pam.d for your needs.

For testing you can use check_user utility and check_user config:

$ sudo cp conf/check_user /etc/pam.d/
... modify config /etc/pam.d/check_user ...
$ sudo ./check_user <username_to_test>

Usage: check_user <username> [service], where service is service is the pam service in /etc/pam.d/<service>. Default service is check_user

Example configs

It is recommended that you first use check_user utility and config to test your PAM config stack before you apply on desired service. You don't want to accidentally lock yourself out.

Goals for this examples:

  • User can use his Gmail credentials to login on workstation
  • Only certain users can login to workstation
  • (optional) User can login to workstation if Internet is down / imap server is unreachable

How to implement that?

Lets say john.doe @gmail.com is our user username.

On workstation we will make new user john.doe (or rename current one to john.doe). After we authenticate user against IMAP server, we check if the user has local account on workstation. That way we are preventing any user with valid email/pass to login to workstation. Only users who have local account with same username can use workstation.

> Note: > By default Ubuntu forbids "." in username. Use --force-badname when creating user with adduser

pam_imap.conf content:

PAM_PasswordString = Password:
CertificateFile /etc/ssl/certs/cacert.pam
PAM_Server0 = imaps:imap.gmail.com:993
PAM_Domain = gmail.com
PAM_BlockList = root, admin, Administrator, apache
PAM_HashEnable = no
PAM_HashFile = /etc/pam_imap.gdbm
PAM_HashDelta = 20

For PAM service config we want minimal changes how default config works. On Ubuntu all services (login,sshd,su..) include common-auth, common-account, common-password, common-session". We want our changes to be visible everywhere, so we are going to change some common- file(s).

We are changing how user authenticate and how is authorized to use workstation, so only common-auth and common-account are changed.

For start let's make check_user config to test our modification first, like this:

/etc/pam.d/check_user content:

## From common-auth
#auth    [success=1 default=ignore]      pam_unix.so nullok_secure
auth    sufficient      pam_unix.so     nullok try_first_pass
auth    sufficient      pam_imap.so     conf=/etc/pam_imap.conf
auth    requisite       pam_deny.so
auth    required        pam_permit.so

## From common-account
#account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account required        pam_unix.so
account sufficient                      pam_localuser.so
account requisite                       pam_deny.so
account required                        pam_permit.so

@include common-password
@include common-session

First we try to authenticate with local user username/password. If that fails, then we try to authenticate via IMAP. PAM_IMAP concats '@gmail' on username and send that as username to imap server. If that succeeded, user is successfully authenticated.

Then user is checked if it is authorized to use workstation. pam_localuser checks if user has local account on workstation, and pam_unix checks if local account is enabled and other constraints.

Only if both succeeded, user is able to login to workstation.

Lets check our config:

sudo ./check_user john.doe

Output (if you compiled with debug output)

user=john.doe
Password:
config_file=/etc/pam_imap.conf
Reading configuration file /etc/pam_imap.conf
********************************
Debug-Option printout:
port=993
host=imap.gmail.com
box=INBOX
require_ssl=1
use_imaps=1
use_sslv2=1
use_sslv3=1
use_tlsv1=1
cert_file=/etc/ssl/certs/cacert.pem
[email protected]
********************************
Resolving imap.gmail.com... ok
Connecting to 74.125.206.109:993... ok
SSL support enabled
Logging in...
server_connect() returned: 0 PAM_SUCCESS
pam_sm_authenticate: returning PAM_SUCCESS
check_user: pam_authenticate() returned: 0: PAM_SUCCESS

check_user end result:
########################
Authenticated
Account Authorized
########################

If everything works after testing with check_user then we can modify common-auth and common-account

#auth   [success=1 default=ignore]      pam_unix.so nullok_secure
auth    sufficient                      pam_unix.so nullok
auth    sufficient                      pam_imap.so conf=/etc/pam_imap.conf
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
#account        [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account required        pam_unix.so
account sufficient      pam_localuser.so
account requisite                       pam_deny.so
account required                        pam_permit.so

Now we can login to workstation using gmail password. Works also for SSH, sudo, su...