* src/ejabberd_auth_pam.erl: Support for PAM authentication

(thanks to Evgeniy Khramtsov)
* src/ejabberd.cfg.example: Likewise
* src/configure.ac: Likewise
* src/aclocal.m4: Likewise
* src/Makefile.in: Likewise
* examples/ejabberd.pam: Likewise
* doc/guide.tex: Likewise

SVN Revision: 953

ChangeLog

@@ -1,3 +1,14 @@
+2007-10-01  Alexey Shchepin  <alexey@process-one.net>
+
+	* src/ejabberd_auth_pam.erl: Support for PAM authentication
+	(thanks to Evgeniy Khramtsov)
+	* src/ejabberd.cfg.example: Likewise
+	* src/configure.ac: Likewise
+	* src/aclocal.m4: Likewise
+	* src/Makefile.in: Likewise
+	* examples/ejabberd.pam: Likewise
+	* doc/guide.tex: Likewise
+
 2007-09-28  Christophe Romain  <christophe.romain@process-one.net>
 
 	* src/odbc/mysql.sql: Added some missing NOT NULL restrictions

doc/guide.tex

@@ -785,6 +785,7 @@ The following authentication methods are supported by \ejabberd{}:
 \item odbc --- See section~\ref{mysql}, \ref{pgsql},
   \ref{mssql} and \ref{odbc}.
 \item anonymous --- See section~\ref{saslanonymous}.
+\item pam --- See section~\ref{pam}.
 \end{itemize}
 
 \subsubsection{Internal}
@@ -877,6 +878,60 @@ a virtual host:
 \end{verbatim}
 \end{itemize}
 
+\subsubsection{PAM Authentication}
+\label{pam}
+\ind{PAM authentication}\ind{Pluggable Authentication Modules}
+
+\ejabberd{} supports authentication via Pluggable Authentication Modules (PAM).
+PAM is currently supported in AIX, FreeBSD, HP-UX, Linux, Mac OS X, NetBSD and Solaris.
+PAM authentication is disabled by default, so you have to configure and compile
+\ejabberd{} with PAM support enabled:
+\begin{verbatim}
+./configure --enable-pam && make install
+\end{verbatim}
+
+Options:
+\begin{description}
+\titem{pam\_service}\ind{options!pam\_service}This option defines the PAM service name.
+Default is \term{"ejabberd"}. Refer to the PAM documentation of your operation system
+for more information.
+\end{description}
+
+Example:
+\begin{verbatim}
+  {auth_method, [pam]}.
+  {pam_service, "ejabberd"}.
+\end{verbatim}
+
+Though it is quite easy to set up PAM support in \ejabberd{}, PAM itself introduces some
+security issues:
+
+\begin{itemize}
+\item To perform PAM authentication \ejabberd{} uses external C-program called
+\term{epam}. By default, it is located in \verb|/var/lib/ejabberd/priv/lib/|
+directory. You have to set it root on execution in the case when your PAM module
+requires root privileges (\term{pam\_unix.so} for example). Also you have to grant access
+for \ejabberd{} to this file and remove all other permissions from it:
+\begin{verbatim}
+# chown root:ejabberd /var/lib/ejabberd/priv/lib/epam
+# chmod 4750 /var/lib/ejabberd/priv/lib/epam
+\end{verbatim}
+\item Make sure you have the latest version of PAM installed on your system.
+Some old versions of PAM modules cause memory leaks. If you are not able to use the latest
+version, you can \term{kill(1)} \term{epam} process periodically to reduce its memory
+consumption: \ejabberd{} will restart this process immediately.
+\item \term{epam} program tries to turn off delays on authentication failures.
+However, some PAM modules ignore this behavior and rely on their own configuration options.
+The example configuration file \term{ejabberd.pam} shows how to turn off delays in
+\term{pam\_unix.so} module. It is not a ready to use configuration file: you must use it
+as a hint when building your own PAM configuration instead. Note that if you want to disable
+delays on authentication failures in the PAM configuration file, you have to restrict access
+to this file, so a malicious user can't use your configuration to perform brute-force
+attacks.
+\item You may want to allow login access only for certain users. \term{pam\_listfile.so}
+module provides such functionality.
+\end{itemize}
+
 \subsection{Access Rules}
 \label{accessrules}
 \ind{access rules}\ind{ACL}\ind{Access Control List}

src/Makefile.in

@@ -36,7 +36,7 @@ endif
 
 prefix = @prefix@
 
-SUBDIRS = @mod_irc@ @mod_pubsub@ @mod_muc@ @mod_proxy65@ @eldap@ @web@ stringprep @tls@ @odbc@ @ejabberd_zlib@
+SUBDIRS = @mod_irc@ @mod_pubsub@ @mod_muc@ @mod_proxy65@ @eldap@ @pam@ @web@ stringprep @tls@ @odbc@ @ejabberd_zlib@
 ERLSHLIBS = expat_erl.so
 SOURCES = $(wildcard *.erl)
 BEAMS = $(SOURCES:.erl=.beam)
@@ -95,6 +95,7 @@ install: all
 	install -m 644 *.app $(BEAMDIR)
 	install -d $(SODIR)
 	install -m 644 *.so $(SODIR)
+	install -m 750 epam $(SODIR)
 	install -d $(MSGSDIR)
 	install -m 644 msgs/*.msg $(MSGSDIR)
 	install -d $(ETCDIR)
@@ -107,7 +108,7 @@ install: all
 clean: clean-recursive clean-local
 
 clean-local:
-	rm -f *.beam $(ERLSHLIBS)
+	rm -f *.beam $(ERLSHLIBS) epam
 	rm -f XmppAddr.asn1db XmppAddr.erl XmppAddr.hrl
 
 distclean: distclean-recursive clean-local

src/aclocal.m4

@@ -66,6 +66,40 @@ AC_DEFUN(AM_WITH_ZLIB,
   AC_SUBST(ZLIB_LIBS)
 ])
 
+AC_DEFUN(AM_WITH_PAM,
+[ AC_ARG_WITH(pam,
+	      [  --with-pam=PREFIX	prefix where PAM is installed])
+
+  PAM_CFLAGS=
+  PAM_LIBS=
+	if test x"$with_pam" != x; then
+		PAM_CFLAGS="-I$with_pam/include"
+		PAM_LIBS="-L$with_pam/lib"
+	fi
+	
+	AC_CHECK_LIB(pam, pam_start,
+		     [ PAM_LIBS="$PAM_LIBS -lpam"
+		       pam_found=yes ],
+		     [ pam_found=no ],
+		     "$PAM_LIBS")
+	if test $pam_found = no; then
+		AC_MSG_WARN([Could not find the PAM library])
+	fi
+	pam_save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS $PAM_CFLAGS"
+       pam_save_CPPFLAGS="$CPPFLAGS"
+       CPPFLAGS="$CPPFLAGS $PAM_CFLAGS"
+	AC_CHECK_HEADERS(security/pam_appl.h, , pam_found=no)
+	if test $pam_found = no; then
+		AC_MSG_WARN([Could not find security/pam_appl.h])
+	fi
+	CFLAGS="$pam_save_CFLAGS"
+       CPPFLAGS="$pam_save_CPPFLAGS"
+
+  AC_SUBST(PAM_CFLAGS)
+  AC_SUBST(PAM_LIBS)
+])
+
 AC_DEFUN(AM_WITH_ERLANG,
 [ AC_ARG_WITH(erlang,
 	      [  --with-erlang=PREFIX    path to erlc and erl ])

src/configure.ac

@@ -16,6 +16,8 @@ AM_ICONV
 AM_WITH_EXPAT
 #locating zlib
 AM_WITH_ZLIB
+#locating PAM
+AM_WITH_PAM
 
 # Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST
@@ -32,6 +34,7 @@ AC_MOD_ENABLE(mod_irc, yes)
 AC_MOD_ENABLE(mod_muc, yes)
 AC_MOD_ENABLE(mod_proxy65, yes)
 AC_MOD_ENABLE(eldap, yes)
+AC_MOD_ENABLE(pam, no)
 AC_MOD_ENABLE(web, yes)
 AC_MOD_ENABLE(tls, yes)
 AC_MOD_ENABLE(odbc, no)
@@ -79,6 +82,7 @@ AC_CONFIG_FILES([Makefile
                  $make_mod_pubsub
                  $make_mod_proxy65
                  $make_eldap
+                 $make_pam
                  $make_web
                  stringprep/Makefile
                  $make_tls

src/ejabberd.cfg.example

@@ -84,6 +84,10 @@
 %{auth_method, external}.
 %{extauth_program, "/path/to/authentication/script"}.
 
+% For authentication via PAM use the following:
+%{auth_method, pam}.
+%{pam_service, "pamservicename"}.
+
 % For authentication via ODBC use the following:
 %{auth_method, odbc}.
 %{odbc_server, "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"}.