comparison mod_auth_external_insecure/README.markdown @ 3884:f84ede3e9e3b

mod_auth_external->mod_auth_external_insecure: Unmaintained and almost certainly insecure, discourage its use
author Matthew Wild <mwild1@gmail.com>
date Thu, 06 Feb 2020 21:03:17 +0000
parents mod_auth_external/README.markdown@3287dd234f3f
children 8e58a1b78336
comparison
equal deleted inserted replaced
3883:571249f69577 3884:f84ede3e9e3b
1 ---
2 labels:
3 - 'Stage-Deprecated'
4 - 'Type-Auth'
5 summary: 'Authentication via external script/process (DEPRECATED)'
6 ...
7
8 Introduction
9 ============
10
11 Allow client authentication to be handled by an external script/process.
12
13 **Warning:** This module is not currently maintained, and may be buggy and insecure in
14 certain configurations/environments. It is **not** recommended for production use. Please
15 use one of the [many other authentication modules](/type_auth).
16
17 Installation
18 ============
19
20 mod\_auth\_external\_insecure depends on a Lua module called
21 [lpty](http://www.tset.de/lpty/). You can install it on many platforms
22 using [LuaRocks](http://luarocks.org/), for example:
23
24 sudo luarocks install lpty
25
26 Configuration
27 =============
28
29 As with all auth modules, there is no need to add this to
30 modules\_enabled. Simply add in the global section, or for the relevant
31 hosts:
32
33 authentication = "external_insecure"
34
35 These options are specific to mod\_auth\_external\_insecure:
36
37 -------------------------- -------------------------------------------------------------------------------------------------------------------------
38 external\_auth\_protocol May be "generic" or "ejabberd" (the latter for compatibility with ejabberd external auth scripts. Default is "generic".
39 external\_auth\_command The command/script to execute.
40 -------------------------- -------------------------------------------------------------------------------------------------------------------------
41
42 Two other options are also available, depending on whether the module is
43 running in 'blocking' or 'non-blocking' mode:
44
45 --------------------------- -------------- ------------------------------------------------------------------------------------------------------------------
46 external\_auth\_timeout blocking The number of seconds to wait for a response from the auth process. Default is 5.
47 external\_auth\_processes non-blocking The number of concurrent processes to spawn. Default is 1, increase to handle high connection rates efficiently.
48 --------------------------- -------------- ------------------------------------------------------------------------------------------------------------------
49
50 Blocking vs non-blocking
51 ------------------------
52
53 Non-blocking mode is experimental and is disabled by default.
54
55 Enable at your own risk if you fulfil these conditions:
56
57 - Running Prosody trunk ([nightly](http://prosody.im/nightly/) build
58 414+) or Prosody 0.11.x.
59 - [libevent](http://prosody.im/doc/libevent) is enabled in the config,
60 and LuaEvent is available.
61 - lpty (see installation above) is version 1.0.1 or later.
62
63 ```lua
64 external_auth_blocking = false;
65 ```
66
67 Protocol
68 ========
69
70 Prosody executes the given command/script, and sends it queries.
71
72 Your auth script should simply read a line from standard input, and
73 write the result to standard output. It must do this in a loop, until
74 there's nothing left to read. Prosody can keep sending more lines to the
75 script, with a command on each line.
76
77 Each command is one line, and the response is expected to be a single
78 line containing "0" for failure or "1" for success. Your script must
79 respond with "0" for anything it doesn't understand.
80
81 There are three commands used at the moment:
82
83 auth
84 ----
85
86 Check if a user's password is valid.
87
88 Example: `auth:username:example.com:abc123`
89
90 Note: The password can contain colons. Make sure to handle that.
91
92 isuser
93 ------
94
95 Check if a user exists.
96
97 Example: `isuser:username:example.com`
98
99 setpass
100 -------
101
102 Set a new password for the user. Implementing this is optional.
103
104 Example: `setpass:username:example.com:abc123`
105
106 Note: The password can contain colons. Make sure to handle that.
107
108 ejabberd compatibility
109 ---------------------
110
111 ejabberd implements a similar protocol. The main difference is that
112 Prosody's protocol is line-based, while ejabberd's is length-prefixed.
113
114 Add this to your config if you need to use an ejabberd auth script:
115
116 external_auth_protocol = "ejabberd"
117
118 Compatibility
119 =============
120
121 ----- -------
122 0.8 Works
123 0.9 Works
124 ----- -------