* src/ejabberd_auth_pam.erl: Support for PAM authentication
(thanks to Evgeniy Khramtsov) * src/ejabberd.cfg.example: Likewise * src/configure.ac: Likewise * src/aclocal.m4: Likewise * src/Makefile.in: Likewise * examples/ejabberd.pam: Likewise * doc/guide.tex: Likewise SVN Revision: 953
This commit is contained in:
Alexey Shchepin
parent
665abff588
commit
63487ff7b2
11
ChangeLog
11
ChangeLog
|
|
@ -1,3 +1,14 @@
|
|||
2007-10-01 Alexey Shchepin <alexey@process-one.net>
|
||||
|
||||
* src/ejabberd_auth_pam.erl: Support for PAM authentication
|
||||
(thanks to Evgeniy Khramtsov)
|
||||
* src/ejabberd.cfg.example: Likewise
|
||||
* src/configure.ac: Likewise
|
||||
* src/aclocal.m4: Likewise
|
||||
* src/Makefile.in: Likewise
|
||||
* examples/ejabberd.pam: Likewise
|
||||
* doc/guide.tex: Likewise
|
||||
|
||||
2007-09-28 Christophe Romain <christophe.romain@process-one.net>
|
||||
|
||||
* src/odbc/mysql.sql: Added some missing NOT NULL restrictions
|
||||
|
|
|
|||
|
|
@ -785,6 +785,7 @@ The following authentication methods are supported by \ejabberd{}:
|
|||
\item odbc --- See section~\ref{mysql}, \ref{pgsql},
|
||||
\ref{mssql} and \ref{odbc}.
|
||||
\item anonymous --- See section~\ref{saslanonymous}.
|
||||
\item pam --- See section~\ref{pam}.
|
||||
\end{itemize}
|
||||
|
||||
\subsubsection{Internal}
|
||||
|
|
@ -877,6 +878,60 @@ a virtual host:
|
|||
\end{verbatim}
|
||||
\end{itemize}
|
||||
|
||||
\subsubsection{PAM Authentication}
|
||||
\label{pam}
|
||||
\ind{PAM authentication}\ind{Pluggable Authentication Modules}
|
||||
|
||||
\ejabberd{} supports authentication via Pluggable Authentication Modules (PAM).
|
||||
PAM is currently supported in AIX, FreeBSD, HP-UX, Linux, Mac OS X, NetBSD and Solaris.
|
||||
PAM authentication is disabled by default, so you have to configure and compile
|
||||
\ejabberd{} with PAM support enabled:
|
||||
\begin{verbatim}
|
||||
./configure --enable-pam && make install
|
||||
\end{verbatim}
|
||||
|
||||
Options:
|
||||
\begin{description}
|
||||
\titem{pam\_service}\ind{options!pam\_service}This option defines the PAM service name.
|
||||
Default is \term{"ejabberd"}. Refer to the PAM documentation of your operation system
|
||||
for more information.
|
||||
\end{description}
|
||||
|
||||
Example:
|
||||
\begin{verbatim}
|
||||
{auth_method, [pam]}.
|
||||
{pam_service, "ejabberd"}.
|
||||
\end{verbatim}
|
||||
|
||||
Though it is quite easy to set up PAM support in \ejabberd{}, PAM itself introduces some
|
||||
security issues:
|
||||
|
||||
\begin{itemize}
|
||||
\item To perform PAM authentication \ejabberd{} uses external C-program called
|
||||
\term{epam}. By default, it is located in \verb|/var/lib/ejabberd/priv/lib/|
|
||||
directory. You have to set it root on execution in the case when your PAM module
|
||||
requires root privileges (\term{pam\_unix.so} for example). Also you have to grant access
|
||||
for \ejabberd{} to this file and remove all other permissions from it:
|
||||
\begin{verbatim}
|
||||
# chown root:ejabberd /var/lib/ejabberd/priv/lib/epam
|
||||
# chmod 4750 /var/lib/ejabberd/priv/lib/epam
|
||||
\end{verbatim}
|
||||
\item Make sure you have the latest version of PAM installed on your system.
|
||||
Some old versions of PAM modules cause memory leaks. If you are not able to use the latest
|
||||
version, you can \term{kill(1)} \term{epam} process periodically to reduce its memory
|
||||
consumption: \ejabberd{} will restart this process immediately.
|
||||
\item \term{epam} program tries to turn off delays on authentication failures.
|
||||
However, some PAM modules ignore this behavior and rely on their own configuration options.
|
||||
The example configuration file \term{ejabberd.pam} shows how to turn off delays in
|
||||
\term{pam\_unix.so} module. It is not a ready to use configuration file: you must use it
|
||||
as a hint when building your own PAM configuration instead. Note that if you want to disable
|
||||
delays on authentication failures in the PAM configuration file, you have to restrict access
|
||||
to this file, so a malicious user can't use your configuration to perform brute-force
|
||||
attacks.
|
||||
\item You may want to allow login access only for certain users. \term{pam\_listfile.so}
|
||||
module provides such functionality.
|
||||
\end{itemize}
|
||||
|
||||
\subsection{Access Rules}
|
||||
\label{accessrules}
|
||||
\ind{access rules}\ind{ACL}\ind{Access Control List}
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ endif
|
|||
|
||||
prefix = @prefix@
|
||||
|
||||
SUBDIRS = @mod_irc@ @mod_pubsub@ @mod_muc@ @mod_proxy65@ @eldap@ @web@ stringprep @tls@ @odbc@ @ejabberd_zlib@
|
||||
SUBDIRS = @mod_irc@ @mod_pubsub@ @mod_muc@ @mod_proxy65@ @eldap@ @pam@ @web@ stringprep @tls@ @odbc@ @ejabberd_zlib@
|
||||
ERLSHLIBS = expat_erl.so
|
||||
SOURCES = $(wildcard *.erl)
|
||||
BEAMS = $(SOURCES:.erl=.beam)
|
||||
|
|
@ -95,6 +95,7 @@ install: all
|
|||
install -m 644 *.app $(BEAMDIR)
|
||||
install -d $(SODIR)
|
||||
install -m 644 *.so $(SODIR)
|
||||
install -m 750 epam $(SODIR)
|
||||
install -d $(MSGSDIR)
|
||||
install -m 644 msgs/*.msg $(MSGSDIR)
|
||||
install -d $(ETCDIR)
|
||||
|
|
@ -107,7 +108,7 @@ install: all
|
|||
clean: clean-recursive clean-local
|
||||
|
||||
clean-local:
|
||||
rm -f *.beam $(ERLSHLIBS)
|
||||
rm -f *.beam $(ERLSHLIBS) epam
|
||||
rm -f XmppAddr.asn1db XmppAddr.erl XmppAddr.hrl
|
||||
|
||||
distclean: distclean-recursive clean-local
|
||||
|
|
|
|||
|
|
@ -66,6 +66,40 @@ AC_DEFUN(AM_WITH_ZLIB,
|
|||
AC_SUBST(ZLIB_LIBS)
|
||||
])
|
||||
|
||||
AC_DEFUN(AM_WITH_PAM,
|
||||
[ AC_ARG_WITH(pam,
|
||||
[ --with-pam=PREFIX prefix where PAM is installed])
|
||||
|
||||
PAM_CFLAGS=
|
||||
PAM_LIBS=
|
||||
if test x"$with_pam" != x; then
|
||||
PAM_CFLAGS="-I$with_pam/include"
|
||||
PAM_LIBS="-L$with_pam/lib"
|
||||
fi
|
||||
|
||||
AC_CHECK_LIB(pam, pam_start,
|
||||
[ PAM_LIBS="$PAM_LIBS -lpam"
|
||||
pam_found=yes ],
|
||||
[ pam_found=no ],
|
||||
"$PAM_LIBS")
|
||||
if test $pam_found = no; then
|
||||
AC_MSG_WARN([Could not find the PAM library])
|
||||
fi
|
||||
pam_save_CFLAGS="$CFLAGS"
|
||||
CFLAGS="$CFLAGS $PAM_CFLAGS"
|
||||
pam_save_CPPFLAGS="$CPPFLAGS"
|
||||
CPPFLAGS="$CPPFLAGS $PAM_CFLAGS"
|
||||
AC_CHECK_HEADERS(security/pam_appl.h, , pam_found=no)
|
||||
if test $pam_found = no; then
|
||||
AC_MSG_WARN([Could not find security/pam_appl.h])
|
||||
fi
|
||||
CFLAGS="$pam_save_CFLAGS"
|
||||
CPPFLAGS="$pam_save_CPPFLAGS"
|
||||
|
||||
AC_SUBST(PAM_CFLAGS)
|
||||
AC_SUBST(PAM_LIBS)
|
||||
])
|
||||
|
||||
AC_DEFUN(AM_WITH_ERLANG,
|
||||
[ AC_ARG_WITH(erlang,
|
||||
[ --with-erlang=PREFIX path to erlc and erl ])
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -16,6 +16,8 @@ AM_ICONV
|
|||
AM_WITH_EXPAT
|
||||
#locating zlib
|
||||
AM_WITH_ZLIB
|
||||
#locating PAM
|
||||
AM_WITH_PAM
|
||||
|
||||
# Checks for typedefs, structures, and compiler characteristics.
|
||||
AC_C_CONST
|
||||
|
|
@ -32,6 +34,7 @@ AC_MOD_ENABLE(mod_irc, yes)
|
|||
AC_MOD_ENABLE(mod_muc, yes)
|
||||
AC_MOD_ENABLE(mod_proxy65, yes)
|
||||
AC_MOD_ENABLE(eldap, yes)
|
||||
AC_MOD_ENABLE(pam, no)
|
||||
AC_MOD_ENABLE(web, yes)
|
||||
AC_MOD_ENABLE(tls, yes)
|
||||
AC_MOD_ENABLE(odbc, no)
|
||||
|
|
@ -79,6 +82,7 @@ AC_CONFIG_FILES([Makefile
|
|||
$make_mod_pubsub
|
||||
$make_mod_proxy65
|
||||
$make_eldap
|
||||
$make_pam
|
||||
$make_web
|
||||
stringprep/Makefile
|
||||
$make_tls
|
||||
|
|
|
|||
|
|
@ -84,6 +84,10 @@
|
|||
%{auth_method, external}.
|
||||
%{extauth_program, "/path/to/authentication/script"}.
|
||||
|
||||
% For authentication via PAM use the following:
|
||||
%{auth_method, pam}.
|
||||
%{pam_service, "pamservicename"}.
|
||||
|
||||
% For authentication via ODBC use the following:
|
||||
%{auth_method, odbc}.
|
||||
%{odbc_server, "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"}.
|
||||
|
|
|
|||
Loading…
Reference in New Issue