PAM SASL authentication module

Last updated on Fri, 26/07/2013 - 12:17

SASL logoA PAM module for SASL password authentication.

The source code is hosted on SourceForge.
Packages for Ubuntu can be downloaded from the official PPA.

Usage case

This module is useful when combined with the saslauthd service, if you want to let some low privilege process, such as gnome-screensaver, to be able to authenticate the user using information not accessible to the process, e.g., to the system Kerberos keytab /etc/krb5.keytab or the LDAP password stored in /etc/ldap.conf.

Example with gnome-screensaver

This example is modelled around Debian, Ubuntu and other similar distributions.
We will configure gnome-screensaver so that the user can unlock the screen even if he has no privileges to read some necessary files.

First, you have to install the module and the service saslauthd (in Debian/Ubuntu, it is contained in the sasl2-bin package).

Modify the system files in the following way:

/etc/pam.d/gnome-screensaver
auth    required    pam_sasl.so
auth    optional    pam_gnome_keyring.so
/etc/pam.d/sasl-gnome-screensaver
@include common-auth
/etc/sasl/sasl-gnome-screensaver.conf
pwcheck_method: saslauthd
/etc/default/saslauthd
[...]
# Should saslauthd run automatically on startup? (default: no)
START=yes

[...]
# Example: MECHANISMS="pam"
MECHANISMS="pam"

[...]
/etc/security/group.conf
[...]
#xsh; tty* ;sword;!Wk0900-1800;sound, play
#xsh; tty* ;*;Al0900-1800;floppy

login;*;*;Al0000-2400;cdrom,audio,video,sasl
gdm;*;*;Al0000-2400;cdrom,audio,video,sasl

[...]

Under this configuration, when the user tries to unlock the screen the following happens:

 

  1. gnome-screensaver gives the password to the module pam_sasl.so
  2. pam_sasl.so reads the configuration file /etc/sasl/sasl-gnome-screensaver.conf, and decides to use the saslauthd service
  3. pam_sasl.so contacts the saslauthd service through a socket accessible only to members of the sasl group (hence the configuration of /etc/security/group.conf)
  4. saslauthd is configured to use the PAM library, so it checks the password using the modules configured in /etc/pam.d/sasl-gnome-screensaver
  5. the password is finally checked in the same way as it was before installing pam_sasl, but this time the check is done by the saslauthd daemon which runs as root.