[jadmin] Anyone running FreeBSD have jabberd2 working with PAM
auth?
Josh Tolbert
hemi at puresimplicity.net
Wed Jun 14 09:37:02 CDT 2006
On Tue, Jun 13, 2006 at 11:49:45AM +0000, Jonathan Stewart wrote:
> Okay finally got a working setup :) Large parts of it are very hacky
> but it's functional so far. I have no idea how well it would handle
> under any serious load though.
>
> [1] When you build jabberd2 define WITH_PIPE=yes on your make command
> line or add it to your pkgtools.conf.
>
> [2] Change the pwauth Makefile so it allows the jabber user to run it as
> well as www. pwauth installs with PAM by default on FreeBSD so you
> don't have to do any postinstall configuration for PAM. I'm sure there
> is a much neater way to do this but I was in a rush and it worked so...
> WWWUID!= ${ID} -u ${WWWOWN}; echo ","; ${ID} -u jabber
>
> [3] Copy this script into /usr/local/bin/pipe-auth. It's based on the
> sample script from the jabberd2 tarball "tools" folder. If anyone has
> any suggestions on how to improve it they are welcome because I have
> pretty much no prior experience with Perl.
>
> ***********************************************************
> #!/usr/bin/perl -w
>
> #
> # Sample pipe authenticator module. You can use this as a basis for your
> # own auth/reg module. See docs/dev/c2s-pipe-authenticator for details
> # about the protocol.
> #
> # This code is hereby placed into the public domain.
> #
> # Modified by Jonathan Stewart jonathan at kc8onw.net for use with pwauth
> # on FreeBSD 13 June 2006. All of my changes are also public domain.
> # Suggestions for improvement are welcome!
>
> use strict;
>
> use MIME::Base64;
>
> # Flush output immediately.
> $| = 1;
>
> # On startup, we have to inform c2s of the functions we can deal with.
> # USER-EXISTS is not optional.
> print "OK USER-EXISTS CHECK-PASSWORD FREE\n";
>
> # Our main loop
> my $buf;
> while(sysread (STDIN, $buf, 1024) > 0)
> {
> my ($cmd, @args) = split ' ', $buf;
> $cmd =~ tr/[A-Z]/[a-z]/;
> $cmd =~ tr/-/_/;
>
> eval "print _cmd_$cmd(\@args), '\n\n'";
> }
>
> # Determine if the requested user exists.
> sub _cmd_user_exists
> {
> my ($user, $realm) = @_;
>
> # !!! return "OK" if user exists;
>
> return "OK";
> }
>
> # Compare the given password with the stored password.
> sub _cmd_check_password
> {
> my ($user, $encoded_pass, $realm) = @_;
>
> my $pass = decode_base64($encoded_pass);
>
> system("(echo $user; echo $pass) | pwauth");
> return "OK" if !$?;
>
> return "NO";
> }
>
> # c2s shutting down, do the same.
> sub _cmd_free
> {
> # !!! free data
> # close database handles
>
> exit(0);
> }
> ***********************************************************
>
>
>
> [4] Change your C2S.xml file to setup pipe auth
> <!-- Backend module to use -->
> <module>pipe</module>
> and
> <!-- Pipe module configuration -->
> <pipe>
> <!-- Program to execute -->
> <exec>/usr/local/bin/pipe-auth.pl</exec>
> </pipe>
>
> [5] Hopefully I didn't forget anything :) If it doesn't work just let
> me know and I'll try to help fix it.
>
> Feels good to contribute :)
> Jonathan Stewart
>
> P.S.
>
> There is some side information available in this thread {1} about what I
> went through to get it working
>
> {1} http://mail.jabber.org/pipermail/jabberd/2006-June/003365.html
> The thread is titled "[jabberd] Pipe auth with Jabberd2 c2s *seems* to
> hang to the client"
Hi Jonathan,
Nice. Kind of a drag that there has to be so much hoop-jumping, but neat to
see an interesting solution.
Thanks,
Josh
--
Josh Tolbert
hemi at puresimplicity.net || http://www.puresimplicity.net/~hemi/
Security is mostly a superstition. It does not exist in nature, nor
do the children of men as a whole experience it. Avoiding danger
is no safer in the long run than outright exposure. Life is either
a daring adventure, or nothing.
-- Helen Keller
More information about the JAdmin
mailing list