Software /
code /
prosody-modules
Annotate
mod_auth_external_insecure/README.markdown @ 3884:f84ede3e9e3b
mod_auth_external->mod_auth_external_insecure: Unmaintained and almost certainly insecure, discourage its use
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Thu, 06 Feb 2020 21:03:17 +0000 |
parent | 3390:mod_auth_external/README.markdown@3287dd234f3f |
child | 4558:8e58a1b78336 |
rev | line source |
---|---|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
1 --- |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
2 labels: |
3884
f84ede3e9e3b
mod_auth_external->mod_auth_external_insecure: Unmaintained and almost certainly insecure, discourage its use
Matthew Wild <mwild1@gmail.com>
parents:
3390
diff
changeset
|
3 - 'Stage-Deprecated' |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
4 - 'Type-Auth' |
3884
f84ede3e9e3b
mod_auth_external->mod_auth_external_insecure: Unmaintained and almost certainly insecure, discourage its use
Matthew Wild <mwild1@gmail.com>
parents:
3390
diff
changeset
|
5 summary: 'Authentication via external script/process (DEPRECATED)' |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
6 ... |
1782 | 7 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
8 Introduction |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
9 ============ |
1782 | 10 |
11 Allow client authentication to be handled by an external script/process. | |
12 | |
3884
f84ede3e9e3b
mod_auth_external->mod_auth_external_insecure: Unmaintained and almost certainly insecure, discourage its use
Matthew Wild <mwild1@gmail.com>
parents:
3390
diff
changeset
|
13 **Warning:** This module is not currently maintained, and may be buggy and insecure in |
f84ede3e9e3b
mod_auth_external->mod_auth_external_insecure: Unmaintained and almost certainly insecure, discourage its use
Matthew Wild <mwild1@gmail.com>
parents:
3390
diff
changeset
|
14 certain configurations/environments. It is **not** recommended for production use. Please |
f84ede3e9e3b
mod_auth_external->mod_auth_external_insecure: Unmaintained and almost certainly insecure, discourage its use
Matthew Wild <mwild1@gmail.com>
parents:
3390
diff
changeset
|
15 use one of the [many other authentication modules](/type_auth). |
f84ede3e9e3b
mod_auth_external->mod_auth_external_insecure: Unmaintained and almost certainly insecure, discourage its use
Matthew Wild <mwild1@gmail.com>
parents:
3390
diff
changeset
|
16 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
17 Installation |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
18 ============ |
1782 | 19 |
3884
f84ede3e9e3b
mod_auth_external->mod_auth_external_insecure: Unmaintained and almost certainly insecure, discourage its use
Matthew Wild <mwild1@gmail.com>
parents:
3390
diff
changeset
|
20 mod\_auth\_external\_insecure depends on a Lua module called |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
21 [lpty](http://www.tset.de/lpty/). You can install it on many platforms |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
22 using [LuaRocks](http://luarocks.org/), for example: |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
23 |
1820
8de50be756e5
Various README files: Correct indentation levels, fix syntax and other small fixes
Kim Alvefur <zash@zash.se>
parents:
1803
diff
changeset
|
24 sudo luarocks install lpty |
1782 | 25 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
26 Configuration |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
27 ============= |
1782 | 28 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
29 As with all auth modules, there is no need to add this to |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
30 modules\_enabled. Simply add in the global section, or for the relevant |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
31 hosts: |
1782 | 32 |
3884
f84ede3e9e3b
mod_auth_external->mod_auth_external_insecure: Unmaintained and almost certainly insecure, discourage its use
Matthew Wild <mwild1@gmail.com>
parents:
3390
diff
changeset
|
33 authentication = "external_insecure" |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
34 |
3884
f84ede3e9e3b
mod_auth_external->mod_auth_external_insecure: Unmaintained and almost certainly insecure, discourage its use
Matthew Wild <mwild1@gmail.com>
parents:
3390
diff
changeset
|
35 These options are specific to mod\_auth\_external\_insecure: |
1782 | 36 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
37 -------------------------- ------------------------------------------------------------------------------------------------------------------------- |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
38 external\_auth\_protocol May be "generic" or "ejabberd" (the latter for compatibility with ejabberd external auth scripts. Default is "generic". |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
39 external\_auth\_command The command/script to execute. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
40 -------------------------- ------------------------------------------------------------------------------------------------------------------------- |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
41 |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
42 Two other options are also available, depending on whether the module is |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
43 running in 'blocking' or 'non-blocking' mode: |
1782 | 44 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
45 --------------------------- -------------- ------------------------------------------------------------------------------------------------------------------ |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
46 external\_auth\_timeout blocking The number of seconds to wait for a response from the auth process. Default is 5. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
47 external\_auth\_processes non-blocking The number of concurrent processes to spawn. Default is 1, increase to handle high connection rates efficiently. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
48 --------------------------- -------------- ------------------------------------------------------------------------------------------------------------------ |
1782 | 49 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
50 Blocking vs non-blocking |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
51 ------------------------ |
1782 | 52 |
3389
788200f5f481
mod_auth_external/README: Update to reflect non-blocking by default
Kim Alvefur <zash@zash.se>
parents:
2876
diff
changeset
|
53 Non-blocking mode is experimental and is disabled by default. |
788200f5f481
mod_auth_external/README: Update to reflect non-blocking by default
Kim Alvefur <zash@zash.se>
parents:
2876
diff
changeset
|
54 |
788200f5f481
mod_auth_external/README: Update to reflect non-blocking by default
Kim Alvefur <zash@zash.se>
parents:
2876
diff
changeset
|
55 Enable at your own risk if you fulfil these conditions: |
1782 | 56 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
57 - Running Prosody trunk ([nightly](http://prosody.im/nightly/) build |
3390
3287dd234f3f
mod_auth_external/README: Update mentioning 0.11.x
Kim Alvefur <zash@zash.se>
parents:
3389
diff
changeset
|
58 414+) or Prosody 0.11.x. |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
59 - [libevent](http://prosody.im/doc/libevent) is enabled in the config, |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
60 and LuaEvent is available. |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
61 - lpty (see installation above) is version 1.0.1 or later. |
1782 | 62 |
3389
788200f5f481
mod_auth_external/README: Update to reflect non-blocking by default
Kim Alvefur <zash@zash.se>
parents:
2876
diff
changeset
|
63 ```lua |
788200f5f481
mod_auth_external/README: Update to reflect non-blocking by default
Kim Alvefur <zash@zash.se>
parents:
2876
diff
changeset
|
64 external_auth_blocking = false; |
788200f5f481
mod_auth_external/README: Update to reflect non-blocking by default
Kim Alvefur <zash@zash.se>
parents:
2876
diff
changeset
|
65 ``` |
788200f5f481
mod_auth_external/README: Update to reflect non-blocking by default
Kim Alvefur <zash@zash.se>
parents:
2876
diff
changeset
|
66 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
67 Protocol |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
68 ======== |
1782 | 69 |
70 Prosody executes the given command/script, and sends it queries. | |
71 | |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
72 Your auth script should simply read a line from standard input, and |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
73 write the result to standard output. It must do this in a loop, until |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
74 there's nothing left to read. Prosody can keep sending more lines to the |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
75 script, with a command on each line. |
1782 | 76 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
77 Each command is one line, and the response is expected to be a single |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
78 line containing "0" for failure or "1" for success. Your script must |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
79 respond with "0" for anything it doesn't understand. |
1782 | 80 |
81 There are three commands used at the moment: | |
82 | |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
83 auth |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
84 ---- |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
85 |
1782 | 86 Check if a user's password is valid. |
87 | |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
88 Example: `auth:username:example.com:abc123` |
1782 | 89 |
90 Note: The password can contain colons. Make sure to handle that. | |
91 | |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
92 isuser |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
93 ------ |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
94 |
1782 | 95 Check if a user exists. |
96 | |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
97 Example: `isuser:username:example.com` |
1782 | 98 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
99 setpass |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
100 ------- |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
101 |
1782 | 102 Set a new password for the user. Implementing this is optional. |
103 | |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
104 Example: `setpass:username:example.com:abc123` |
1782 | 105 |
106 Note: The password can contain colons. Make sure to handle that. | |
107 | |
2876 | 108 ejabberd compatibility |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
109 --------------------- |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
110 |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
111 ejabberd implements a similar protocol. The main difference is that |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
112 Prosody's protocol is line-based, while ejabberd's is length-prefixed. |
1782 | 113 |
114 Add this to your config if you need to use an ejabberd auth script: | |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
115 |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
116 external_auth_protocol = "ejabberd" |
1782 | 117 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
118 Compatibility |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
119 ============= |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
120 |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
121 ----- ------- |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
122 0.8 Works |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
123 0.9 Works |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
124 ----- ------- |