[jadmin] Anyone running FreeBSD have jabberd2 working with PAM auth?

Jonathan Stewart jonathan at kc8onw.net
Mon Jun 12 10:07:10 CDT 2006 

Josh Tolbert wrote:
> On Sun, Jun 11, 2006 at 10:24:13AM +0000, Jonathan Stewart wrote:
>> I had this same issue about a year and a half ago...
>> http://mail.jabber.org/pipermail/jadmin/2004-October/018548.html
>>
>> I just have "auth            sufficient      pam_unix.so" in my
>> pam.d/jabberd I don't know why required does not work and sufficient
>> does but if I understand the README [1] correctly the way I'm using it
>> is not a security issue at least.
>>
>> Jonathan
>>
>> [1]
>> sufficient: success is sufficient, and if no previous required
>>             module failed, no remaining modules are run.
> 
> Hey Jonathan,
> 
> Thanks; this gets me closer. I can log in now. The problem is that I can log
> in using any password. Does yours do this, too?
> 
> Thanks,
> Josh


Good thing you caught that I missed it!  I did some more googling and
found this very disappointing information...

http://jabberd.jabberstudio.org/2/docs/section04_6.html

" I Important: PAM Authentication Requires PAM Database Access
    Jabberd authentication via PAM requires that Jabberd2 has access to
the PAM database. For many systems, this database is the /etc/shadow
file. Thus, Jabberd2 must be run as root, or the jabberd user must be
granted read permissions for this file. Running the Jabberd2 server as
root is not recommended."

I actually just worked around this for Apache using mod_auth_external
and pwauth.  pwauth is setuid root so it has access to the master.passwd
file and is called by mod_auth external which pipes the username and
password to it.  pwauth uses PAM by default when installed from ports.

I'm trying to set up pipe auth using pwauth and it seems fine testing by
hand but it seems to hang while checking the username and before asking
for the password.  I've sent a message to the jabberd list with details
and if I don't hear anything there I will try here.  I'll post here
regardless to let you know if I get it working.

As a workaround, although not recommended from a security standpoint you
could create a group, put jabber into it, and make master.passwd
readable by the group.  You should be able to use PAM directly then
although I have not tried it.

Jonathan

More information about the JAdmin mailing list