On 06/02/08, Nicolas Williams wrote: > On Mon, Jun 02, 2008 at 11:12:32AM +0100, Darren J Moffat wrote: > > Raymond Xiong wrote: > > >Two more notes on user authentication: > > > > > >1) ejabberd also supports PAM authentication. So it is possible to > > >use UNIX accounts for ejabberd user authentication(though I don't think > > >this was recommended in its manual). For various reason, this feature > > >won't be supported in my package. > > > > Actually that might be a much better idea because it opens up a lot of > > scope for better authentication. > > > > Given that Solaris invented PAM I find it very strange to integrate > > something that has PAM support available but to disable it. > > > > Running with PAM will, unfortunately, require that the daemon run with > > all privileges during authentication. > > XMPP supports SASL for user authentication. ejabberd ought to support > that. ejabberd should get the ability to authenticate users via Unix > credentials through libsasl, not through PAM directly. (Of course, > IIRC, our libsasl doesn't provide a way to do this, but that wouldn't be > ejabberd's fault!) >
ejabberd supports SASL(actually it always uses SASL so that client that doesn't support SASL cannot connect to it), but unfortunately it only suports very limited mechanisms: digest-md5, plain, and anonymous. That is due to the fact that, rather than rely on native C library, ejabberd implements SASL by its own. I googled on this topic but found very few discussion on it. I don't think there are active development to improve this either. So, the way I understand it, to authenticate ejabberd users via UNIX credentials or other PAM authentication services, PAM needs to be configured explicitly(although SASL is always used). It seems the current SASL support in ejabberd is more like a way to transfer password on network than an authentication framework. BTW, XMPP(and ejabberd) also supports TLS to encrypt all the XML messages(including messages for authentication). That is an optional feature and can be configured. (I think SASL is also an optional feature, but it cannot be configured for ejabberd). Regarding ejabberd support for PAM authentication, I have tried that and it seems work. To perform PAM authentication, ejabberd uses an external C program. To solve the root privileges issue, the manual suggested to use setuid approach(see "PAM authentication" in section 3.1.4 on following link). http://www.process-one.net/docs/ejabberd/guide_en.html I guess setuid is probably not allowed, but I think we can do it by setting that C program's execution attritute in "Ejabberd Administration" profile as root. Another thing I am not sure is what PAM authentication service name will be used for ejabberd. I used "other" in my experiments. Do we need a new "ejabberd" service name for that? -- Regards, Raymond
