[jadmin] Anyone running FreeBSD have jabberd2 working with PAM auth?

Jonathan Stewart jonathan at kc8onw.net
Tue Jun 13 06:49:45 CDT 2006 

Josh Tolbert wrote:
> On Mon, Jun 12, 2006 at 03:07:10PM +0000, Jonathan Stewart wrote:
>> Good thing you caught that I missed it!  I did some more googling and
>> found this very disappointing information...
>>
>> http://jabberd.jabberstudio.org/2/docs/section04_6.html
>>
>> " I Important: PAM Authentication Requires PAM Database Access
>>     Jabberd authentication via PAM requires that Jabberd2 has access to
>> the PAM database. For many systems, this database is the /etc/shadow
>> file. Thus, Jabberd2 must be run as root, or the jabberd user must be
>> granted read permissions for this file. Running the Jabberd2 server as
>> root is not recommended."
[snip]
>> I'm trying to set up pipe auth using pwauth and it seems fine testing by
>> hand but it seems to hang while checking the username and before asking
>> for the password.  I've sent a message to the jabberd list with details
>> and if I don't hear anything there I will try here.  I'll post here
>> regardless to let you know if I get it working.
[snip]
> Hi Jonathan,
> 
> Yeah, I was afraid of this. I did see this in the docs, but I was hoping the
> docs were somewhat out-dated and this wasn't required any more. Being
> relatively unfamiliar with PAM (cause I've never had to deal with setting up
> any services that depend on it before), does anything else require access to
> the password hashes themselves? I'm relatively wary of jacking around with
> permissions on important files.
> 
> I remember reading about someone trying to get jabberd to auth against
> cyrus-sasl2 (saslauthd). I may look in to seeing what it would take to get
> that working.
> 
> Thanks again,
> Josh

Okay finally got a working setup :)  Large parts of it are very hacky
but it's functional so far.  I have no idea how well it would handle
under any serious load though.

[1] When you build jabberd2 define WITH_PIPE=yes on your make command
line or add it to your pkgtools.conf.

[2] Change the pwauth Makefile so it allows the jabber user to run it as
well as www.  pwauth installs with PAM by default on FreeBSD so you
don't have to do any postinstall configuration for PAM.  I'm sure there
is a much neater way to do this but I was in a rush and it worked so...
WWWUID!=        ${ID} -u ${WWWOWN}; echo ","; ${ID} -u jabber

[3] Copy this script into /usr/local/bin/pipe-auth.  It's based on the
sample script from the jabberd2 tarball "tools" folder.  If anyone has
any suggestions on how to improve it they are welcome because I have
pretty much no prior experience with Perl.

***********************************************************
#!/usr/bin/perl -w

#
# Sample pipe authenticator module. You can use this as a basis for your
# own auth/reg module. See docs/dev/c2s-pipe-authenticator for details
# about the protocol.
#
# This code is hereby placed into the public domain.
#
# Modified by Jonathan Stewart jonathan at kc8onw.net for use with pwauth
# on FreeBSD 13 June 2006.  All of my changes are also public domain.
# Suggestions for improvement are welcome!

use strict;

use MIME::Base64;

# Flush output immediately.
$| = 1;

# On startup, we have to inform c2s of the functions we can deal with.
# USER-EXISTS is not optional.
print "OK USER-EXISTS CHECK-PASSWORD FREE\n";

# Our main loop
my $buf;
while(sysread (STDIN, $buf, 1024) > 0)
{
    my ($cmd, @args) = split ' ', $buf;
    $cmd =~ tr/[A-Z]/[a-z]/;
    $cmd =~ tr/-/_/;

    eval "print _cmd_$cmd(\@args), '\n\n'";
}

# Determine if the requested user exists.
sub _cmd_user_exists
{
    my ($user, $realm) = @_;

    # !!! return "OK" if user exists;

    return "OK";
}

# Compare the given password with the stored password.
sub _cmd_check_password
{
    my ($user, $encoded_pass, $realm) = @_;

    my $pass = decode_base64($encoded_pass);

    system("(echo $user; echo $pass) | pwauth");
    return "OK" if !$?;

    return "NO";
}

# c2s shutting down, do the same.
sub _cmd_free
{
    # !!! free data
    #     close database handles

    exit(0);
}
***********************************************************



[4] Change your C2S.xml file to setup pipe auth
    <!-- Backend module to use -->
    <module>pipe</module>
and
    <!-- Pipe module configuration -->
    <pipe>
      <!-- Program to execute -->
      <exec>/usr/local/bin/pipe-auth.pl</exec>
    </pipe>

[5] Hopefully I didn't forget anything :)  If it doesn't work just let
me know and I'll try to help fix it.

Feels good to contribute :)
Jonathan Stewart

P.S.

There is some side information available in this thread {1} about what I
went through to get it working

{1} http://mail.jabber.org/pipermail/jabberd/2006-June/003365.html
The thread is titled "[jabberd] Pipe auth with Jabberd2 c2s *seems* to
hang to the client"

More information about the JAdmin mailing list