Mercurial > prosody-modules
comparison mod_auth_external_insecure/README.markdown @ 3884:f84ede3e9e3b
mod_auth_external->mod_auth_external_insecure: Unmaintained and almost certainly insecure, discourage its use
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 06 Feb 2020 21:03:17 +0000 |
| parents | mod_auth_external/README.markdown@3287dd234f3f |
| children | 8e58a1b78336 |
comparison
equal
deleted
inserted
replaced
| 3883:571249f69577 | 3884:f84ede3e9e3b |
|---|---|
| 1 --- | |
| 2 labels: | |
| 3 - 'Stage-Deprecated' | |
| 4 - 'Type-Auth' | |
| 5 summary: 'Authentication via external script/process (DEPRECATED)' | |
| 6 ... | |
| 7 | |
| 8 Introduction | |
| 9 ============ | |
| 10 | |
| 11 Allow client authentication to be handled by an external script/process. | |
| 12 | |
| 13 **Warning:** This module is not currently maintained, and may be buggy and insecure in | |
| 14 certain configurations/environments. It is **not** recommended for production use. Please | |
| 15 use one of the [many other authentication modules](/type_auth). | |
| 16 | |
| 17 Installation | |
| 18 ============ | |
| 19 | |
| 20 mod\_auth\_external\_insecure depends on a Lua module called | |
| 21 [lpty](http://www.tset.de/lpty/). You can install it on many platforms | |
| 22 using [LuaRocks](http://luarocks.org/), for example: | |
| 23 | |
| 24 sudo luarocks install lpty | |
| 25 | |
| 26 Configuration | |
| 27 ============= | |
| 28 | |
| 29 As with all auth modules, there is no need to add this to | |
| 30 modules\_enabled. Simply add in the global section, or for the relevant | |
| 31 hosts: | |
| 32 | |
| 33 authentication = "external_insecure" | |
| 34 | |
| 35 These options are specific to mod\_auth\_external\_insecure: | |
| 36 | |
| 37 -------------------------- ------------------------------------------------------------------------------------------------------------------------- | |
| 38 external\_auth\_protocol May be "generic" or "ejabberd" (the latter for compatibility with ejabberd external auth scripts. Default is "generic". | |
| 39 external\_auth\_command The command/script to execute. | |
| 40 -------------------------- ------------------------------------------------------------------------------------------------------------------------- | |
| 41 | |
| 42 Two other options are also available, depending on whether the module is | |
| 43 running in 'blocking' or 'non-blocking' mode: | |
| 44 | |
| 45 --------------------------- -------------- ------------------------------------------------------------------------------------------------------------------ | |
| 46 external\_auth\_timeout blocking The number of seconds to wait for a response from the auth process. Default is 5. | |
| 47 external\_auth\_processes non-blocking The number of concurrent processes to spawn. Default is 1, increase to handle high connection rates efficiently. | |
| 48 --------------------------- -------------- ------------------------------------------------------------------------------------------------------------------ | |
| 49 | |
| 50 Blocking vs non-blocking | |
| 51 ------------------------ | |
| 52 | |
| 53 Non-blocking mode is experimental and is disabled by default. | |
| 54 | |
| 55 Enable at your own risk if you fulfil these conditions: | |
| 56 | |
| 57 - Running Prosody trunk ([nightly](http://prosody.im/nightly/) build | |
| 58 414+) or Prosody 0.11.x. | |
| 59 - [libevent](http://prosody.im/doc/libevent) is enabled in the config, | |
| 60 and LuaEvent is available. | |
| 61 - lpty (see installation above) is version 1.0.1 or later. | |
| 62 | |
| 63 ```lua | |
| 64 external_auth_blocking = false; | |
| 65 ``` | |
| 66 | |
| 67 Protocol | |
| 68 ======== | |
| 69 | |
| 70 Prosody executes the given command/script, and sends it queries. | |
| 71 | |
| 72 Your auth script should simply read a line from standard input, and | |
| 73 write the result to standard output. It must do this in a loop, until | |
| 74 there's nothing left to read. Prosody can keep sending more lines to the | |
| 75 script, with a command on each line. | |
| 76 | |
| 77 Each command is one line, and the response is expected to be a single | |
| 78 line containing "0" for failure or "1" for success. Your script must | |
| 79 respond with "0" for anything it doesn't understand. | |
| 80 | |
| 81 There are three commands used at the moment: | |
| 82 | |
| 83 auth | |
| 84 ---- | |
| 85 | |
| 86 Check if a user's password is valid. | |
| 87 | |
| 88 Example: `auth:username:example.com:abc123` | |
| 89 | |
| 90 Note: The password can contain colons. Make sure to handle that. | |
| 91 | |
| 92 isuser | |
| 93 ------ | |
| 94 | |
| 95 Check if a user exists. | |
| 96 | |
| 97 Example: `isuser:username:example.com` | |
| 98 | |
| 99 setpass | |
| 100 ------- | |
| 101 | |
| 102 Set a new password for the user. Implementing this is optional. | |
| 103 | |
| 104 Example: `setpass:username:example.com:abc123` | |
| 105 | |
| 106 Note: The password can contain colons. Make sure to handle that. | |
| 107 | |
| 108 ejabberd compatibility | |
| 109 --------------------- | |
| 110 | |
| 111 ejabberd implements a similar protocol. The main difference is that | |
| 112 Prosody's protocol is line-based, while ejabberd's is length-prefixed. | |
| 113 | |
| 114 Add this to your config if you need to use an ejabberd auth script: | |
| 115 | |
| 116 external_auth_protocol = "ejabberd" | |
| 117 | |
| 118 Compatibility | |
| 119 ============= | |
| 120 | |
| 121 ----- ------- | |
| 122 0.8 Works | |
| 123 0.9 Works | |
| 124 ----- ------- |