[jadmin] Anyone running FreeBSD have jabberd2 working with PAM auth?

Josh Tolbert hemi at puresimplicity.net
Mon Jun 12 23:26:36 CDT 2006 

On Mon, Jun 12, 2006 at 03:07:10PM +0000, Jonathan Stewart wrote:
> Good thing you caught that I missed it!  I did some more googling and
> found this very disappointing information...
> 
> http://jabberd.jabberstudio.org/2/docs/section04_6.html
> 
> " I Important: PAM Authentication Requires PAM Database Access
>     Jabberd authentication via PAM requires that Jabberd2 has access to
> the PAM database. For many systems, this database is the /etc/shadow
> file. Thus, Jabberd2 must be run as root, or the jabberd user must be
> granted read permissions for this file. Running the Jabberd2 server as
> root is not recommended."
> 
> I actually just worked around this for Apache using mod_auth_external
> and pwauth.  pwauth is setuid root so it has access to the master.passwd
> file and is called by mod_auth external which pipes the username and
> password to it.  pwauth uses PAM by default when installed from ports.
> 
> I'm trying to set up pipe auth using pwauth and it seems fine testing by
> hand but it seems to hang while checking the username and before asking
> for the password.  I've sent a message to the jabberd list with details
> and if I don't hear anything there I will try here.  I'll post here
> regardless to let you know if I get it working.
> 
> As a workaround, although not recommended from a security standpoint you
> could create a group, put jabber into it, and make master.passwd
> readable by the group.  You should be able to use PAM directly then
> although I have not tried it.
> 
> Jonathan

Hi Jonathan,

Yeah, I was afraid of this. I did see this in the docs, but I was hoping the
docs were somewhat out-dated and this wasn't required any more. Being
relatively unfamiliar with PAM (cause I've never had to deal with setting up
any services that depend on it before), does anything else require access to
the password hashes themselves? I'm relatively wary of jacking around with
permissions on important files.

I remember reading about someone trying to get jabberd to auth against
cyrus-sasl2 (saslauthd). I may look in to seeing what it would take to get
that working.

Thanks again,
Josh
-- 
Josh Tolbert
hemi at puresimplicity.net  ||  http://www.puresimplicity.net/~hemi/

Security is mostly a superstition. It does not exist in nature, nor
do the children of men as a whole experience it. Avoiding danger
is no safer in the long run than outright exposure. Life is either
a daring adventure, or nothing.
    -- Helen Keller

More information about the JAdmin mailing list