---
Accidentally missed a patch hunk in v1.
Ideally, I'd actually like to use "soju" as the default service name as do most
third-party applications supporting PAM. However, I'm keeping it as "login" to
avoid a breaking change to the configuration.
auth/auth.go | 2 +-
auth/pam.go | 15 ++++++++++-----
auth/pam_stub.go | 2 +-
doc/soju.1.scd | 5 +++--
4 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/auth/auth.go b/auth/auth.go
index 188e149..39b4f8c 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -24,7 +24,7 @@ func New(driver, source string) (Authenticator, error) {
case "oauth2":
return newOAuth2(source)
case "pam":
- return newPAM()
+ return newPAM(source)
default:
return nil, fmt.Errorf("unknown auth driver %q", driver)
}
diff --git a/auth/pam.go b/auth/pam.go
index a7f3663..f92b279 100644
--- a/auth/pam.go
+++ b/auth/pam.go
@@ -11,18 +11,23 @@ import (
"git.sr.ht/~emersion/soju/database"
)
-type pamAuth struct{}
+type pamAuth struct {
+ service string
+}
var (
_ PlainAuthenticator = (*pamAuth)(nil)
)
-func newPAM() (Authenticator, error) {
- return pamAuth{}, nil
+func newPAM(service string) (Authenticator, error) {
+ if service == "" {
+ service = "login"
+ }
+ return pamAuth{service}, nil
}
-func (pamAuth) AuthPlain(ctx context.Context, db database.Database, username, password string) error {
- t, err := pam.StartFunc("login", username, func(s pam.Style, msg string) (string, error) {
+func (auth pamAuth) AuthPlain(ctx context.Context, db database.Database, username, password string) error {
+ t, err := pam.StartFunc(auth.service, username, func(s pam.Style, msg string) (string, error) {
switch s {
case pam.PromptEchoOff:
return password, nil
diff --git a/auth/pam_stub.go b/auth/pam_stub.go
index 92b12cd..e0ce96f 100644
--- a/auth/pam_stub.go
+++ b/auth/pam_stub.go
@@ -6,6 +6,6 @@ import (
"errors"
)
-func newPAM() (Authenticator, error) {
+func newPAM(service string) (Authenticator, error) {
return nil, errors.New("PAM support is disabled")
}
diff --git a/doc/soju.1.scd b/doc/soju.1.scd
index f06d5f8..a4ea35b 100644
--- a/doc/soju.1.scd
+++ b/doc/soju.1.scd
@@ -235,8 +235,9 @@ The following directives are supported:
and password in the URL. The authorization server must support OAuth 2.0
Authorization Server Metadata (RFC 8414) and OAuth 2.0 Token
Introspection (RFC 7662).
- *auth pam*
- Use PAM authentication.
+ *auth pam* [service]
+ Use PAM authentication. The service name is optional and defaults to
+ "login".
# IRC SERVICE
--
2.45.1
Yeah, I think always using "soju" would make more sense (with a default
PAM config file which has "auth include login", like swaylock).
I don't think this would be a breaking change, since the behavior with
a newer soju (with the PAM config file) would be the same?
One annoying detail that we'd need to handle is installing the PAM config
file conditionally if PAM is enabled at build time… Maybe it's time to
introduce a Makefile configuration mechanism or something?
> Yeah, I think always using "soju" would make more sense (with a default
> PAM config file which has "auth include login", like swaylock).
>
> I don't think this would be a breaking change, since the behavior with
> a newer soju (with the PAM config file) would be the same?
This is what I had in mind as well, except for the default PAM config
file being installed upon soju installation.
> One annoying detail that we'd need to handle is installing the PAM config
> file conditionally if PAM is enabled at build time… Maybe it's time to
> introduce a Makefile configuration mechanism or something?
I don't think we should install a PAM config file at build time at all.
PAM could simply be enabled at build time as part of a particular OS
distribution's default build '-tags=' value. The actual user may never
use PAM, and the ones who do ideally should get an error message saying
"no PAM service named 'soju' found". A user can install their own custom
soju PAM service config or simply specify an existing one using the auth
directive's service parameter.