Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add PAM authentication support #20

Closed
foxcpp opened this issue Mar 28, 2019 · 6 comments
Closed

Add PAM authentication support #20

foxcpp opened this issue Mar 28, 2019 · 6 comments
Milestone
0.1 - "It works"

Comments

@foxcpp
Copy link
Owner

foxcpp commented Mar 28, 2019

This will allow to reuse a lot of components developed for PAM.

Notes
  • CGo dependency: libpam
  • libpam does have a callback-based interface, it needs to be used with extreme care to not introduce memory vulnerabilities.
Problems to solve
  • maddy needs to access the shadow database (/etc/shadow) on configurations using the local database. Should we just require maddy to be running as root (or with CAP_DAC_READ_SEARCH) or somehow isolate code working with this file?

Some example code can be found here: https://stackoverflow.com/questions/10910193/how-to-authenticate-username-password-using-pam-w-o-root-privileges
Except probably we want to define our own PAM service instead of using "su".
@foxcpp foxcpp mentioned this issue Mar 28, 2019
Closed
@emersion
Copy link
Collaborator

emersion commented Mar 28, 2019
edited

CGo dependency: libpam

Maybe there is a pure Go PAM implementation out there? libpam is very annoying to use.

maddy needs to access the shadow database (/etc/shadow) on configurations using the local database

We don't need that with PAM. We only need that for #21.

@foxcpp
Copy link
Owner Author

foxcpp commented Mar 28, 2019
edited

We don't need that with PAM. We only need that for #21.

From pam_unix.so(8):

A helper binary, unix_chkpwd(8), is provided to check the user's password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it. It is called transparently on behalf of the user by the authenticating component of this module. In this way it is possible for applications like xlock(1) to work without being setuid-root.

Ok, didn't know. Perhaps, can we use it for #21 too?

UPD: No, we shouldn't.

The interface of the helper - command line options, and input/output data format are internal to the pam_unix module and it should not be called directly from applications.

@foxcpp
Copy link
Owner Author

foxcpp commented Mar 28, 2019

Oh, unix_chkpwd works only for current user so it is not useful for us. We need root to access /etc/shadow.

@foxcpp
Copy link
Owner Author

foxcpp commented Mar 28, 2019
edited

So, what I think should be done.

Create a separate binary called maddy-pam-helper.
When started it reads two \0-terminated lines on stdin (username and password) and sets exit status depending on authentication success.

Generally, when installed to the system, this binary should setuid root (or given CAP_DAC_READ_SEARCH capability on Linux) and be only executable by a group that maddy server runs under (user group "maddy"?).

@emersion
Copy link
Collaborator

Oh, right. RIP, we need root either way.

@foxcpp
Copy link
Owner Author

foxcpp commented Mar 28, 2019

https://github.com/foxcpp/maddy/tree/pam

@foxcpp foxcpp mentioned this issue Mar 30, 2019
Merged
@foxcpp foxcpp added this to the 0.1 milestone May 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.1 - "It works"
Development

No branches or pull requests
2 participants
@emersion @foxcpp