PAM Authentication
This page describes how to use PAM based authentication.
Overview
The pam authentication method is a variant of the username authentication method which uses the Pluggable Authentication Module (PAM) system available on some platforms. The SOCKS version 5 username authentication method is used by the client to supply the username and password, only the system mechanism used at the server to verify the password is different. Note that the password is transmitted in cleartext with this authentication method. It should not be used over an insecure network.
Some PAM modules can perform client access control based on the IP address or hostname of the client. This makes it possible to use PAM without the SOCKS client providing any username or password.
Environment setup
The PAM system on the server needs to be configured. This might involve adding a configuration file for the SOCKS server to the PAM setup. The contents of the file depends on the operating system, but it will generally be identical to similar services, such as sshd.
The default PAM service name is sockd, but this can be overridden in individual rules in the server configuration file by setting pamservicename to a different value. The clientmethod example below shows how this is typically done. The default value can only be changed at compile time so it is necessary to specify this setting in each rule that should use a different servicename.
Server privileges
#server identities (not needed on solaris) user.privileged : root user.notprivileged : socks
The server will typically have to be started with root privileges to verify passwords via PAM. If this is the case, the user.privileged and user.notprivileged keywords should be set to ensure that the server will run as an unprivileged user when it does not need root privileges.
Example clientmethod usage
If used with a PAM authentication method that only requires the hostname of the client, it is possible to use PAM as a clientmethod. This will cause the PAM method to be called with the information that is available before SOCKS negotiation.
One such PAM method is pam_rhosts, which can be found on some platforms that support PAM. One limitation compared to e.g., rsh is that the the user name of the client will not be known (this applies to both the PAM USER and RUSER values). The Dante server sets these values to socksclient by default. To use the pam_rhosts module it might be necessary to add this user to the machine the Dante server is running on in order for the pam_rhosts module to be work from a clientmethod.
clientmethod: pam
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: error # connect disconnect iooperation
method: pam
#this servicename should be different from servicename for socks rules
pamservicename: pam_host
}
The example above sets the pamservicename to pam_host, which is assumed to be configured in a way which makes it possible to authenticate based on the client host name only. This value should be different from the pam servicename used in the SOCKS rules (see below), where the username and password would be available and used to decide whether access should be granted or not.
With the above configuration, the pam_host PAM module would be used to determine whether connections should be accepted based on the IP address of the clients. An authentication failure would lead to the connection being closed, while an authentication success would cause SOCKS protocol negotiation to proceed over that connection.
Example method usage
#authentication methods method: pam
#incoming traffic, no authentication
pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: error # connect disconnect iooperation
command: udpreply bindreply
}
#bind/outgoing traffic, with authentication
pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: bind connect udpassociate
log: error # connect disconnect iooperation
method: pam
}
The pam method cannot be used for incoming traffic (bindreply, udpreply), unless the PAM module will authenticate based on the TCP or UDP address only.