Bug#920566: ITP: radicale-auth-pam -- PAM authentication plugin for Radicale

To: Jonas Smedegaard <jonas@jones.dk>, 920566@bugs.debian.org
Subject: Bug#920566: ITP: radicale-auth-pam -- PAM authentication plugin for Radicale
From: Joe Nahmias <joe@nahmias.net>
Date: Sun, 27 Jan 2019 19:42:32 -0500
Message-id: <[🔎] 151120ee-ebbc-c3c5-3726-5e33439abc7e@nahmias.net>
Reply-to: Joe Nahmias <joe@nahmias.net>, 920566@bugs.debian.org
In-reply-to: <[🔎] 154859394598.5603.13554318553565077123@auryn.jones.dk>
References: <[🔎] 154855733079.22835.5541752296751219618.reportbug@pesto.nahmias.net> <[🔎] 154855733079.22835.5541752296751219618.reportbug@pesto.nahmias.net> <[🔎] 154859394598.5603.13554318553565077123@auryn.jones.dk> <[🔎] 154855733079.22835.5541752296751219618.reportbug@pesto.nahmias.net>

Hello Jonas,

On 1/27/2019 7:59 AM, Jonas Smedegaard wrote:

Quoting Joseph Nahmias (2019-01-27 03:48:50)

Package: wnpp
Severity: wishlist
Owner: Joseph Nahmias <joe@nahmias.net>

* Package name    : radicale-auth-pam
   Version         : 0.2
   Upstream Author : Joseph Nahmias <joe@nahmias.net>
* URL             : https://gitlab.com/jello/radicale_auth_PAM
* License         : GPL3
   Programming Lang: Python
   Description     : PAM authentication plugin for Radicale


Are you aware that Radicale can already use PAM,
by use of uWSGI and the Apache2 mod-authnz-external module?

The Debian package suggests this approach,
and provides snippets for setting up PAM that way.

Well, I must confess that I did not thoroughly read that documentationsince it mostly revolved around configuring Apache. I'm not using WSGIor a reverse proxy, so I didn't try to solve the problem ofauthenticating with PAM in that manner.

I notice that you are upstream author of this plugin,
so I guess you are biased towards using your own implementation.

Not really, I primarily just wrote it to scratch my own itch when Icouldn't find a PAM auth plugin and decided to share it with the world.Also, it was my first foray into Python, so I used it as a learningexperience secondarily.

May I suggest that at least you mention in long description
how access to sensitive material is handled?

For inspiration, libapache2-mod-authnz-external contains this:

Notably, this module can be used to securely authenticate against PAM
(without exposing /etc/shadow file), using, for example, pwauth
authenticator.


Mentioning in long description how security is addressed will help users
decide which approach to take.

So this is interesting feedback. In my docs, I mention that if PAM isusing standard Unix passwd/shadow then the radicale user will need to beadded to the shadow group.

My understanding is that pwauth is setuid in order to access/etc/shadow; but the process separation would be a security benefit ifpwauth is sufficiently small / auditable.


Obviously, if not using passwd/shadow then this concern doesn't apply.

Perhaps I will write a radicale-auth-PAM-pwauth plugin that calls pwauthto get the security benefit without needing apache.


I appreciate the comments and review!

  - Jonas


--Joe

Reply to:

Follow-Ups:
- Bug#920566: ITP: radicale-auth-pam -- PAM authentication plugin for Radicale
  - From: Jonas Smedegaard <jonas@jones.dk>

References:
- Bug#920566: ITP: radicale-auth-pam -- PAM authentication plugin for Radicale
  - From: "Joseph Nahmias" <joe@pesto.nahmias.net>
- Bug#920566: ITP: radicale-auth-pam -- PAM authentication plugin for Radicale
  - From: Jonas Smedegaard <jonas@jones.dk>

Prev by Date: Bug#920390: Acknowledgement (ITP: golang-github-ivpusic-grpool -- Lightweight Goroutine pool)
Next by Date: Bug#910533: preliminary building package
Previous by thread: Bug#920566: ITP: radicale-auth-pam -- PAM authentication plugin for Radicale
Next by thread: Bug#920566: ITP: radicale-auth-pam -- PAM authentication plugin for Radicale
Index(es):
- Date
- Thread