crunchuser / prosody-modules

Automatically exported from code.google.com/p/prosody-modules
MIT License
0 stars 0 forks source link

mod_auth_pam gets conversation failed error under Ubuntu 13.10 #34

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
1. Install mod_auth_pam with Prosody 0.9 (specifying "pam" for authentication)
2. Set up xmpp file in /etc/pam.d per wiki
3. Try to login as valid system user

The valid system user can't login to Prosody and these errors appear in 
auth.log:

localhost prosody[19726]: pam_unix(xmpp:auth): conversation failed

localhost prosody[19726]: pam_unix(xmpp:auth): auth could not identify password 
for [<username>]

I've tried several variations on the xmpp file in /etc/pam.d - even including a 
stub to allow all logins. I thought this might be related to the changes in 
recent Ubuntu versions that locked down PAM functionality a great deal, so I 
tried temporarily adding the prosody user to a privileged group, but that had 
no effect either.

mod_auth_pam with Prosody 0.9.1 on Ubuntu 13.10

Original issue reported on code.google.com by augu...@gmail.com on 15 Nov 2013 at 7:49

GoogleCodeExporter commented 9 years ago
In my tests with the example file included in lua-pam, I've found that PAM 
authentication on Ubuntu 13.10 only seems to work for either root or the user 
authenticating themselves. That is, the script works when run as my user or as 
root, but not for any other user.

I would have assumed that adding the prosody user to the shadow group (though 
somewhat insecure) would have worked - it does not. The only long-term solution 
I can think of (aside from banging some sense into the Ubuntu maintainers 
guild) is to start using lua-pwauth with PAM instead.

Original comment by augu...@gmail.com on 15 Nov 2013 at 9:16

GoogleCodeExporter commented 9 years ago
#35 deals with most of my issue. The changes to mod_auth_pam fix the auth 
issue. But the prosody daemon must still run as a user with access to 
/etc/shadow. Until something like pwauth is used instead, the setup will be 
somewhat insecure.

Original comment by augu...@gmail.com on 19 Nov 2013 at 6:07

GoogleCodeExporter commented 9 years ago
Attached patch should fix the issue. It was submitted to Kim Alvefur <zash> via 
Email, but apparently never arrived in the official sources.

Original comment by devuran...@gmx.net on 26 Jan 2014 at 1:23

Attachments:

GoogleCodeExporter commented 9 years ago
I attached the current version of my mod_auth_pam.lua to lxmppd#61 [1]. The 
module was changed to use the provider semantics (modeled after 
mod_auth_dovecot.lua) and more extensive logging.

[1] https://code.google.com/p/lxmppd/issues/detail?id=61

Original comment by devuran...@gmx.net on 28 May 2014 at 6:32

GoogleCodeExporter commented 9 years ago
I see you have been working on this. Any news regarding merging my new version 
in its entirety?

Original comment by devuran...@gmx.net on 10 Nov 2014 at 11:09