25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-12-04 16:40:36 +01:00

* src/ejabberd_auth_pam.erl: Support for PAM authentication

(thanks to Evgeniy Khramtsov)
* src/ejabberd.cfg.example: Likewise
* src/configure.ac: Likewise
* src/aclocal.m4: Likewise
* src/Makefile.in: Likewise
* examples/ejabberd.pam: Likewise
* doc/guide.tex: Likewise

SVN Revision: 953
This commit is contained in:
Alexey Shchepin 2007-10-01 10:33:03 +00:00
parent 665abff588
commit 63487ff7b2
7 changed files with 3224 additions and 2212 deletions

View File

@ -1,3 +1,14 @@
2007-10-01 Alexey Shchepin <alexey@process-one.net>
* src/ejabberd_auth_pam.erl: Support for PAM authentication
(thanks to Evgeniy Khramtsov)
* src/ejabberd.cfg.example: Likewise
* src/configure.ac: Likewise
* src/aclocal.m4: Likewise
* src/Makefile.in: Likewise
* examples/ejabberd.pam: Likewise
* doc/guide.tex: Likewise
2007-09-28 Christophe Romain <christophe.romain@process-one.net>
* src/odbc/mysql.sql: Added some missing NOT NULL restrictions

View File

@ -785,6 +785,7 @@ The following authentication methods are supported by \ejabberd{}:
\item odbc --- See section~\ref{mysql}, \ref{pgsql},
\ref{mssql} and \ref{odbc}.
\item anonymous --- See section~\ref{saslanonymous}.
\item pam --- See section~\ref{pam}.
\end{itemize}
\subsubsection{Internal}
@ -877,6 +878,60 @@ a virtual host:
\end{verbatim}
\end{itemize}
\subsubsection{PAM Authentication}
\label{pam}
\ind{PAM authentication}\ind{Pluggable Authentication Modules}
\ejabberd{} supports authentication via Pluggable Authentication Modules (PAM).
PAM is currently supported in AIX, FreeBSD, HP-UX, Linux, Mac OS X, NetBSD and Solaris.
PAM authentication is disabled by default, so you have to configure and compile
\ejabberd{} with PAM support enabled:
\begin{verbatim}
./configure --enable-pam && make install
\end{verbatim}
Options:
\begin{description}
\titem{pam\_service}\ind{options!pam\_service}This option defines the PAM service name.
Default is \term{"ejabberd"}. Refer to the PAM documentation of your operation system
for more information.
\end{description}
Example:
\begin{verbatim}
{auth_method, [pam]}.
{pam_service, "ejabberd"}.
\end{verbatim}
Though it is quite easy to set up PAM support in \ejabberd{}, PAM itself introduces some
security issues:
\begin{itemize}
\item To perform PAM authentication \ejabberd{} uses external C-program called
\term{epam}. By default, it is located in \verb|/var/lib/ejabberd/priv/lib/|
directory. You have to set it root on execution in the case when your PAM module
requires root privileges (\term{pam\_unix.so} for example). Also you have to grant access
for \ejabberd{} to this file and remove all other permissions from it:
\begin{verbatim}
# chown root:ejabberd /var/lib/ejabberd/priv/lib/epam
# chmod 4750 /var/lib/ejabberd/priv/lib/epam
\end{verbatim}
\item Make sure you have the latest version of PAM installed on your system.
Some old versions of PAM modules cause memory leaks. If you are not able to use the latest
version, you can \term{kill(1)} \term{epam} process periodically to reduce its memory
consumption: \ejabberd{} will restart this process immediately.
\item \term{epam} program tries to turn off delays on authentication failures.
However, some PAM modules ignore this behavior and rely on their own configuration options.
The example configuration file \term{ejabberd.pam} shows how to turn off delays in
\term{pam\_unix.so} module. It is not a ready to use configuration file: you must use it
as a hint when building your own PAM configuration instead. Note that if you want to disable
delays on authentication failures in the PAM configuration file, you have to restrict access
to this file, so a malicious user can't use your configuration to perform brute-force
attacks.
\item You may want to allow login access only for certain users. \term{pam\_listfile.so}
module provides such functionality.
\end{itemize}
\subsection{Access Rules}
\label{accessrules}
\ind{access rules}\ind{ACL}\ind{Access Control List}

View File

@ -36,7 +36,7 @@ endif
prefix = @prefix@
SUBDIRS = @mod_irc@ @mod_pubsub@ @mod_muc@ @mod_proxy65@ @eldap@ @web@ stringprep @tls@ @odbc@ @ejabberd_zlib@
SUBDIRS = @mod_irc@ @mod_pubsub@ @mod_muc@ @mod_proxy65@ @eldap@ @pam@ @web@ stringprep @tls@ @odbc@ @ejabberd_zlib@
ERLSHLIBS = expat_erl.so
SOURCES = $(wildcard *.erl)
BEAMS = $(SOURCES:.erl=.beam)
@ -95,6 +95,7 @@ install: all
install -m 644 *.app $(BEAMDIR)
install -d $(SODIR)
install -m 644 *.so $(SODIR)
install -m 750 epam $(SODIR)
install -d $(MSGSDIR)
install -m 644 msgs/*.msg $(MSGSDIR)
install -d $(ETCDIR)
@ -107,7 +108,7 @@ install: all
clean: clean-recursive clean-local
clean-local:
rm -f *.beam $(ERLSHLIBS)
rm -f *.beam $(ERLSHLIBS) epam
rm -f XmppAddr.asn1db XmppAddr.erl XmppAddr.hrl
distclean: distclean-recursive clean-local

34
src/aclocal.m4 vendored
View File

@ -66,6 +66,40 @@ AC_DEFUN(AM_WITH_ZLIB,
AC_SUBST(ZLIB_LIBS)
])
AC_DEFUN(AM_WITH_PAM,
[ AC_ARG_WITH(pam,
[ --with-pam=PREFIX prefix where PAM is installed])
PAM_CFLAGS=
PAM_LIBS=
if test x"$with_pam" != x; then
PAM_CFLAGS="-I$with_pam/include"
PAM_LIBS="-L$with_pam/lib"
fi
AC_CHECK_LIB(pam, pam_start,
[ PAM_LIBS="$PAM_LIBS -lpam"
pam_found=yes ],
[ pam_found=no ],
"$PAM_LIBS")
if test $pam_found = no; then
AC_MSG_WARN([Could not find the PAM library])
fi
pam_save_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS $PAM_CFLAGS"
pam_save_CPPFLAGS="$CPPFLAGS"
CPPFLAGS="$CPPFLAGS $PAM_CFLAGS"
AC_CHECK_HEADERS(security/pam_appl.h, , pam_found=no)
if test $pam_found = no; then
AC_MSG_WARN([Could not find security/pam_appl.h])
fi
CFLAGS="$pam_save_CFLAGS"
CPPFLAGS="$pam_save_CPPFLAGS"
AC_SUBST(PAM_CFLAGS)
AC_SUBST(PAM_LIBS)
])
AC_DEFUN(AM_WITH_ERLANG,
[ AC_ARG_WITH(erlang,
[ --with-erlang=PREFIX path to erlc and erl ])

5323
src/configure vendored

File diff suppressed because it is too large Load Diff

View File

@ -16,6 +16,8 @@ AM_ICONV
AM_WITH_EXPAT
#locating zlib
AM_WITH_ZLIB
#locating PAM
AM_WITH_PAM
# Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST
@ -32,6 +34,7 @@ AC_MOD_ENABLE(mod_irc, yes)
AC_MOD_ENABLE(mod_muc, yes)
AC_MOD_ENABLE(mod_proxy65, yes)
AC_MOD_ENABLE(eldap, yes)
AC_MOD_ENABLE(pam, no)
AC_MOD_ENABLE(web, yes)
AC_MOD_ENABLE(tls, yes)
AC_MOD_ENABLE(odbc, no)
@ -79,6 +82,7 @@ AC_CONFIG_FILES([Makefile
$make_mod_pubsub
$make_mod_proxy65
$make_eldap
$make_pam
$make_web
stringprep/Makefile
$make_tls

View File

@ -84,6 +84,10 @@
%{auth_method, external}.
%{extauth_program, "/path/to/authentication/script"}.
% For authentication via PAM use the following:
%{auth_method, pam}.
%{pam_service, "pamservicename"}.
% For authentication via ODBC use the following:
%{auth_method, odbc}.
%{odbc_server, "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"}.