[CalendarServer-users] PAM Authentication?

Stephen Bowman sbbowman at gmail.com
Sat Jan 12 11:18:10 PST 2008 

So possibly someone else can benefit from this, here's the final resolution:

1) Installed pwauth (http://unixpapa.com/pwauth/), which is exactly what
Chris suggested as a simple highly secure routine to do the PAM
authentication.  One benefit of pwauth over various others out there is that
at compile time you can set the UIDs of the user(s) that can run it.  After
compiling, the pwauth binary is setuid root so that it can perform the PAM
lookups.

2) Following Cyrus's advice, I modified the
wistedcaldav.directory.xmlfile.XMLDirectoryRecord.verifyCredentials
method as follows:

    def verifyCredentials(self, credentials):
       proc1 = subprocess.Popen(["/usr/local/libexec/pwauth"], stdin=
subprocess.PIPE, stdout=subprocess.PIPE)
       proc1.communicate(credentials.username + "\n" +
credentials.password+ "\n")
       returnval = proc1.poll()
       # A returnval of 0 means a successful authentication, anything else
is a failure
       return returnval == 0

3) Digest HTTP authentication had to be turned OFF, and Basic had to be
turned ON in the caldavd.plist configuration file.

Now, all users must exist in the XML file for provisioning, but the
authentication piece is handled entirely by PAM.

If anyone has any problems repeating this, feel free to email me.

Thanks,
-Stephen

On Jan 11, 2008 8:27 PM, Cyrus Daboo <cdaboo at apple.com> wrote:

> Hi Chris,
>
> --On January 11, 2008 5:04:43 PM -0600 Chris Cleeland
> <chris at milodesigns.com> wrote:
>
> >> But to achieve this, the Calendar Server would have to be running as
> >> root.  The caller of the PAM functions has to be root... I can't
> >> think of an easy way around this.  Anyone else?
> >
> > Call out to another daemon that ONLY does the PAM function.  Let that
> > other program be simple and highly secure, and let it run as root.
>
> Right, that's the right approach.
>
> Another option would be to support SASL and then configure PAM into SASL.
> The CMU SASL does have a saslauthd that runs separately and can do PAM, I
> believe. You may already be using SASL for other services such as SMTP,
> IMAP etc.
>
> --
> Cyrus Daboo
>
> _______________________________________________
> calendarserver-users mailing list
> calendarserver-users at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo/calendarserver-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-users/attachments/20080112/f2ce252c/attachment.html

More information about the calendarserver-users mailing list