PAM Authentication
This page describes how to use PAM based authentication.
Overview
The pam authentication method is a variant of the
username authentication method which uses the Pluggable
Authentication Module (PAM) system available on some platforms. The
SOCKS version 5 username authentication method is used by the
client to supply the username and password, only the system mechanism
used at the server to verify the password is different. Note
that the password is transmitted in cleartext with this authentication
method. It should not be used over an insecure network.
Some PAM modules can perform client access control based on the IP
address or hostname of the client. This makes it possible to use PAM
without the SOCKS client providing any username or password.
Environment setup
The PAM system on the server needs to be configured. This might
involve adding a configuration file for the SOCKS server to the PAM
setup. The contents of the file depends on the operating system, but
it will generally be identical to similar services, such as
sshd.
The default PAM service name is sockd, but this can be
overridden in individual rules in the server configuration file by setting
pamservicename to a different value. The clientmethod
example below shows how this is typically done. The default value can
only be changed at compile time so it is necessary to specify this
setting in each rule that should use a different servicename.
Server privileges
#server identities (not needed on solaris)
user.privileged : root
user.notprivileged : socks
The server will typically have to be started with root
privileges to verify passwords via PAM. If this is the case, the
user.privileged and user.notprivileged keywords
should be set to ensure that the server will run as an unprivileged
user when it does not need root privileges.
Example clientmethod usage
If used with a PAM authentication method that only requires the hostname
of the client, it is possible to use PAM as a clientmethod. This will cause
the PAM method to be called with the information that is available before
SOCKS negotiation.
One such PAM method is pam_rhosts, which can be found on
some platforms that support PAM. One limitation compared to e.g.,
rsh is that the the user name of the client will not be known
(this applies to both the PAM USER and RUSER
values). The Dante server sets these values to socksclient by
default. To use the pam_rhosts module it might be necessary
to add this user to the machine the Dante server is running on in
order for the pam_rhosts module to be work from a
clientmethod. Note that the pam_rhosts module might not
work with Dante versions before 1.2.2.
clientmethod: pam
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: error # connect disconnect iooperation
method: pam
#this servicename should be different from servicename for socks rules
pamservicename: pam_host
}
The example above sets the pamservicename to pam_host, which
is assumed to be configured in a way which makes it possible to authenticate
based on the client host name only. This value should be different from the
pam servicename used in the SOCKS rules (see below), where the username and
password would be available and used to decide whether access should be
granted or not.
With the above configuration, the pam_host PAM module would be used
to determine whether connections should be accepted based on the IP address
of the clients. An authentication failure would lead to the connection being
closed, while an authentication success would cause SOCKS protocol negotiation
to proceed over that connection.
Example method usage -- client
route {
from: 0.0.0.0/0 to: 0.0.0.0/0 via: 10.0.0.1 port = 1080
proxyprotocol: socks_v5
method: username
}
The username method is specified at the client.
Example method usage -- server
#authentication methods
method: pam
#incoming traffic, no authentication
pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: error # connect disconnect iooperation
command: udpreply bindreply
}
#bind/outgoing traffic, with authentication
pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: bind connect udpassociate
log: error # connect disconnect iooperation
method: pam
}
The pam method cannot be used for incoming traffic
(bindreply, udpreply), unless the PAM module will authenticate based
on the TCP or UDP address only.
|