Bug 452803 - PAM support for ejabberd
PAM support for ejabberd
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: ejabberd (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Peter Lemenkov
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-25 03:51 EDT by Bill McGonigle
Modified: 2008-09-24 20:12 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-24 20:09:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ejabberd.spec patch to add PAM bits (1.55 KB, patch)
2008-06-25 03:51 EDT, Bill McGonigle
no flags Details | Diff

  None (edit)
Description Bill McGonigle 2008-06-25 03:51:22 EDT
A new feature of ejabberd 2 is built-in PAM support.  This can make adding
jabber service with ejabberd to a simple server as easy as adding mail service
is with dovecot.

I'm not sure the best way to include all the bits here, so I'll attach a patch
for the .spec and mention other changes. For ejabberd.cfg:

-%%{pam_service, "pamservicename"}.
+%%{pam_service, "ejabberd"}.

and an ejabberd.pam file for SOURCES:

#%PAM-1.0
auth       include      system-auth
account    include      system-auth

I would not suggest uncommenting this by default as the administrator ought to
consider the security implications.  It might even be wise to make a note that
TLS really ought to be enabled before doing this, though we don't prevent people
from shooting themselves in the foot with, e.g. dovecot with plain IMAP.

Things I haven't addressed here:
1. Whether the PAM file is appropriate.  It works, but did I forget something
important?  Is there a way to limit UID's < 500 in pam files?  Authentication tries?
2. Any SELinux stuffs.
3. Somebody sanity check the priv/bin/epam permissions.  I followed the advice
from the ejabberd manual for secure use (oh, this is the privilege separation
thingy).

And all the things I didn't think to think of.  However, functionally, this does
appear to work as advertised on my server.  No user registration is required,
and only valid passwords authenticate.
Comment 1 Bill McGonigle 2008-06-25 03:51:22 EDT
Created attachment 310236 [details]
ejabberd.spec patch to add PAM bits
Comment 2 Peter Lemenkov 2008-06-30 05:33:22 EDT
Thanks for your work. I'll review it ASAP.
Comment 3 Fedora Update System 2008-08-29 16:40:41 EDT
ejabberd-2.0.2-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/ejabberd-2.0.2-1.fc8
Comment 4 Fedora Update System 2008-08-29 16:40:52 EDT
ejabberd-2.0.2-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ejabberd-2.0.2-1.fc9
Comment 5 Fedora Update System 2008-09-10 03:13:56 EDT
ejabberd-2.0.2-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update ejabberd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-7657
Comment 6 Fedora Update System 2008-09-10 03:15:24 EDT
ejabberd-2.0.2-1.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update ejabberd'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-7637
Comment 7 Fedora Update System 2008-09-24 20:09:07 EDT
ejabberd-2.0.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-09-24 20:12:55 EDT
ejabberd-2.0.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.