Password Authentication

tmda-cgi currently has three possible authentication mechanisms:

• Remote authentication (IMAPS notes)
• Program authentication (checkpassword-style)
• File authentication

Remote Authentication

tmda-cgi supports authentication by a remote host, using some common existing protocols:

• imap
• imaps (secure SSL imap)
• apop
• pop3
• ldap (requires separately obtained python ldap library)

The authentication mechanism is specified as an URI in the regular URI format: protocol://host.domain.com[:port][/ldap_domain] where "protocol" must be from the list above, and the rest should be self-explanatory.

IMAPS Notes:

Although you can get IMAPS working with tmda-cgi (and TMDA in general), there are a few version restrictions.

• Python 2.1 is not supported.
• If running Python 2.2.x, you need at least TMDA 0.89 for IMAPS.
• Python 2.3.x should work with any version of TMDA.

Program Authentication

tmda-cgi supports authentication by a checkpassword-style program (see a description of this interface). Typically, this is checkpassword or vchkpw.

When specifying this method of authentication, you may need to supply additional parameters to your checkpassword program. By default, configure will append /bin/true or /usr/bin/true, but any program that eventually returns "0" will do.

File authentication:

This method authenticates logins against user name & password pairs stored in a password file (or files). tmda-cgi will look either in the file specified during compilation, or in the default locations for the password file, but the file(s) must be readable by the CGI.

If you are running in system-wide mode, the password file can be owned by root. If you are running in single-user mode, the password file can be owned by the user who will be running the CGI. If you are running in no-su mode, the file must either be owned by "nobody" (or whatever user your web server is configured to run as) or made globally readable. See the table below for a better breakdown of your options.

By default, tmda-cgi checks the following locations to find a password file. It reads and processes the first file it finds:

• tmda-cgi in the same directory as the user's configuration file (if that location has been specified, otherwise it will look in ~user/.tmda/tmda-cgi)

• /etc/tmda-cgi

This allows the user to override their password once it is set by the system administrator.

The password file for tmda-cgi is formatted in much the same way as the password file for tofmipd. In fact, if you are using a password file with tofmipd and you wish to run tmda-cgi in system-wide mode, feel free to make a symbolic link between the two:

# ln -s /etc/tofmipd /etc/tmda-cgi

Password files for tmda-cgi look like:

<user1>:<password1>
<user2>:<password2>

where each item in <> is replaced with text.

The difference between this password file and the one for tofmipd is that the file does not need to have permissions of 400 or 600. If you, for example, are running in no-su mode, you will have to make your password file group or world readable.

To keep the passwords secure, tmda-cgi will assume all passwords are DES encrypted if the file permissions are anything other than 400 or 600. Plaintext passwords will not work in such cases. Encrypted passwords, however, can be used in any tmda-cgi password file.

Additionally, any entry with a blank password field, such as:

cantlogin:

will be prohibited from login, regardless of the file permissions.

contrib/cgi/genpass.py is provided for encrypted password generation. Output from genpass.py can be safely piped with > or >> into a password file. For example:

# contrib/cgi/genpass.py joe >> /etc/tmda-cgi

or

$ contrib/cgi/genpass.py joe > /home/joe/.tmda/tmda-cgi

If you encounter difficulties logging in, the problem may be a result of incorrect permissions on your password file(s). To debug this, append a ?debug=1 onto the end of your CGI URL. This will display some diagnostic information if the login fails instead of simply saying "Wrong password. Try again."