dante   Frontpage - Dante - Download - Status - Support - Modules - Docs - Links - Survey
 

PAM Authentication

This page describes how to use PAM based authentication.

Overview

The pam authentication method uses the Pluggable Authentication Module (PAM) system available on some platforms. If the form of PAM authentication specified requires a username and password, the standard SOCKS version 5 username authentication method is used to supply the username and password to the Dante server. Note that the password is transmitted in clear-text with this authentication method. It should not be used over an insecure network.

Some PAM modules, but not necessarily all, support performing access control based on the IP address or hostname of the SOCKS client. This makes it possible to use PAM without the SOCKS client providing any username or password.

Dante compilation

Dante must be compiled with support for PAM in order to be able to use the PAM authentication method.

To check if a Dante binary has support for PAM, the following command can be used:

$ ./sockd -vv | grep build: | grep pam
build: gssapi libwrap mon-data mon-disconnect pam preload sess2 upnp

If Dante has been compiled with PAM support, the word "pam" should be present somewhere in the above line. If nothing is output, Dante will need to be recompiled with PAM support enabled.

To compile Dante with PAM support, first run the configure script in the source archive and verify that the system PAM installation is found correctly. For the PAM support to be added to Dante, Dante has two basic requirements:

  • A library called libpam must be present on the machine.
  • A header file called security/pam_appl.h must be present.

On some platforms, the latter will typically only be available if a package called pam-devel or similar is installed.

When running configure, several lines of status information should be printed at the end, including a line with information about PAM. If something is missing on the system, or has not been found correctly by Dante, output similar to the following should be output:

PAM:               Disabled, security/pam_appl.h missing

If all requirements are found correctly, the following should be output:

PAM:               Enabled

At this point, it should be possible to compile the source code to get a sockd binary with PAM support. After compilation has completed, verify using the command described above that PAM support is actually supported by the binary.

PAM system environment setup

The PAM system on the server needs to be configured for use with Dante. This might involve adding a configuration file or line for the SOCKS server to the PAM setup. The changes depend on the operating system, but it will generally be identical to similar services, such as sshd.

The default PAM service name used by Dante is sockd, but this can be overridden in individual rules in the server configuration file by setting pamservicename to a different value. The client-rule example below shows how this is typically done. The default value can only be changed at compile time so it is necessary to specify this setting in each rule that should use a different servicename.

IMPORTANT: Care should be taken to verify that a pam configuration file corresponding to the pamservicename actually exists when this option is used, because on some platforms, such as FreeBSD, the default is for the PAM system to pass all traffic if a non-existing file is specified. It must be verified that valid requests are passed and that requests with an incorrect IP-address or user/password are blocked when PAM is used, as the decision on whether access should be granted or not involves the PAM system and is not entirely under Dante's control.

As an example, some UNIX distributions have a PAM service config files in the directory /etc/pam.d, which would make the default Dante PAM config file /etc/pam.d/sockd. For example:

%PAM-1.0
#auth      required     pam_sepermit.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be
executed in the 
user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_limits.so

Note that the above file should not be copied verbatim; there are likely to be significant variations between operating systems, and even versions of any given operating system. Copying an existing file, such as the one for sshd should give a starting point that can be changed as desired.

Server privileges

#server identities (not needed on Solaris)
user.privileged    : root
user.notprivileged : socks

The server will typically have to be started with root privileges to verify passwords via PAM. If this is the case, the user.privileged and user.notprivileged keywords should be set to ensure that the server will run as an unprivileged user when it does not need root privileges.

Syntax changes

In Dante 1.4.0, the name of the PAM authentication method was changed from simply pam, into either pam.address (for IP/hostname-only based PAM authentication, with no username/passwords exchanged) or pam.username (for username/password based PAM authentication). The old pam keyword semantics determined the correct meaning based on context, but this excluded some use-cases, and this keyword was thus deprecated.

Example clientmethod usage

PAM can in some cases be used within Dante's client-rules, where only the IP-address of the connecting client is available.

If used with a PAM authentication method that only requires the IP-address of the client connecting to Dante, it is possible to use PAM in a client-rule.

One such PAM method is pam_rhosts, which can be found on some platforms that support PAM. One limitation compared to e.g., rsh is that the the user name of the client will not be known. This applies to both the PAM USER and RUSER values, both of which the Dante server sets to rhostusr by default. This can by changed at compile-time in Dante by modifying the variables DEFAULT_PAM_USER and DEFAULT_PAM_RUSER, respectively. To use the pam_rhosts module it might be necessary to add this user to the machine the Dante server is running on in order for the pam_rhosts module to work with Dante.

Below is an example of the syntax used in Dante when one wants to use PAM from client-rules:

clientmethod: pam.address

client pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
	#the servicename should differ from the servicename in socks-rules
        pamservicename: pam_host
}

The example above sets the pamservicename to pam_host, which is assumed to be configured in a way which makes it possible to authenticate based on the client hostname only. This value should be different from the PAM servicename used in the SOCKS rules (see below), where the username and password would also be available for deciding whether access should be granted or not.

With the above configuration, the pam_host PAM module would be used to determine whether connections should be accepted based on the IP address of the client. A PAM authentication failure would lead to the connection being closed. A PAM authentication success would cause SOCKS protocol negotiation to start, after which the corresponding socks-rules would be used to determine whether access should be granted or denied.

Example socks-rule usage

The more typical way to use PAM authentication is within socks-rules. The information provided to the PAM subsystem will then, in addition to the IP-address, also include the username and password supplied by the user.

socksmethod: pam.username
#standard client rule, accept all clients
client pass { from: 0/0 to: 0/0 }

#outgoing traffic, requiring pam.username authentication, as specified
#in the global socksmethod.
socks pass {  
        from: 0/0 to: 0/0
}

Copyright © 1998-2016 Inferno Nettverk A/S