Bug 452803
| Summary: | PAM support for ejabberd | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Bill McGonigle <bill-bugzilla.redhat.com> | ||||
| Component: | ejabberd | Assignee: | Peter Lemenkov <lemenkov> | ||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 8 | ||||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-09-25 00:09:19 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 310236 [details]
ejabberd.spec patch to add PAM bits
Thanks for your work. I'll review it ASAP. ejabberd-2.0.2-1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/ejabberd-2.0.2-1.fc8 ejabberd-2.0.2-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/ejabberd-2.0.2-1.fc9 ejabberd-2.0.2-1.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ejabberd'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-7657 ejabberd-2.0.2-1.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ejabberd'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-7637 ejabberd-2.0.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. ejabberd-2.0.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. |
A new feature of ejabberd 2 is built-in PAM support. This can make adding jabber service with ejabberd to a simple server as easy as adding mail service is with dovecot. I'm not sure the best way to include all the bits here, so I'll attach a patch for the .spec and mention other changes. For ejabberd.cfg: -%%{pam_service, "pamservicename"}. +%%{pam_service, "ejabberd"}. and an ejabberd.pam file for SOURCES: #%PAM-1.0 auth include system-auth account include system-auth I would not suggest uncommenting this by default as the administrator ought to consider the security implications. It might even be wise to make a note that TLS really ought to be enabled before doing this, though we don't prevent people from shooting themselves in the foot with, e.g. dovecot with plain IMAP. Things I haven't addressed here: 1. Whether the PAM file is appropriate. It works, but did I forget something important? Is there a way to limit UID's < 500 in pam files? Authentication tries? 2. Any SELinux stuffs. 3. Somebody sanity check the priv/bin/epam permissions. I followed the advice from the ejabberd manual for secure use (oh, this is the privilege separation thingy). And all the things I didn't think to think of. However, functionally, this does appear to work as advertised on my server. No user registration is required, and only valid passwords authenticate.