Add PAM authentication support about maddy HOT 6 CLOSED

CGo dependency: libpam

Maybe there is a pure Go PAM implementation out there? libpam is very annoying to use.

maddy needs to access the shadow database (/etc/shadow) on configurations using the local database

We don't need that with PAM. We only need that for #21.

from maddy.

We don't need that with PAM. We only need that for #21.

From pam_unix.so(8):

A helper binary, unix_chkpwd(8), is provided to check the user's password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it. It is called transparently on behalf of the user by the authenticating component of this module. In this way it is possible for applications like xlock(1) to work without being setuid-root.

Ok, didn't know. Perhaps, can we use it for #21 too?

UPD: No, we shouldn't.

The interface of the helper - command line options, and input/output data format are internal to the pam_unix module and it should not be called directly from applications.

from maddy.

Oh, unix_chkpwd works only for current user so it is not useful for us. We need root to access /etc/shadow.

from maddy.

So, what I think should be done.

Create a separate binary called maddy-pam-helper.
When started it reads two \0-terminated lines on stdin (username and password) and sets exit status depending on authentication success.

Generally, when installed to the system, this binary should setuid root (or given CAP_DAC_READ_SEARCH capability on Linux) and be only executable by a group that maddy server runs under (user group "maddy"?).

from maddy.

Oh, right. RIP, we need root either way.

from maddy.

https://github.com/foxcpp/maddy/tree/pam

from maddy.