README
1Pwcheck is a daemon for permitting the SASL library to check passwords
2against the shadow password database.
3
4To use:
5
6* Configure the Cyrus SASL library with the "--with-pwcheck" switch.
7
8* Compile and install the Cyrus SASL library software
9
10* Create the directory "/var/pwcheck" and make it readable by only
11those users who need to be able to verify passwords. For instance, if
12you wish to use pwcheck with Cyrus imapd:
13
14 mkdir /var/pwcheck
15 chown cyrus /var/pwcheck
16 chmod 700 /var/pwcheck
17
18* Configure your applications to use "pwcheck_method: pwcheck". For
19 example, if you are using this with the Cyrus IMAP server, you can
20 put in the imapd.conf the following line:
21
22 sasl_pwcheck_method: pwcheck
23
24 or for an application that doesn't overload its configuration file,
25 you could put the following line in its configuration file located
26 in /usr/lib/sasl (e.g. /usr/lib/<app_name>.conf):
27
28 pwcheck_method: pwcheck
29
30* Upon system startup, arrange for the daemon $prefix/sbin/pwcheck
31to be run as root in the background.
32
33How it works:
34
35The Cyrus servers connect to the unix-domain socket
36/var/pwcheck/pwcheck to send a potential user's userid and password to
37the pwcheck daemon. The pwcheck daemon uses its root privileges to
38verify the userid and password against the shadow password database.
39The pwcheck daemon then returns an error message or "OK" to the Cyrus
40server and closes the unix-domain connection.
41
42The permissions on the /var/pwcheck directory control who can connect
43to the pwcheck daemon. The pwcheck daemon is not designed to deal
44with denial-of-service attacks from its clients, so the directory
45should be restricted to trustworthy server processes.
46