~emersion/soju-dev

auth/pam: allow specifying PAM service name as driver param v2 PROPOSED

Siva Mahadevan: 1
 auth/pam: allow specifying PAM service name as driver param

 4 files changed, 15 insertions(+), 9 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.sr.ht/~emersion/soju-dev/patches/52362/mbox | git am -3
Learn more about email & git

[PATCH v2] auth/pam: allow specifying PAM service name as driver param Export this patch

---
Accidentally missed a patch hunk in v1.

Ideally, I'd actually like to use "soju" as the default service name as do most
third-party applications supporting PAM. However, I'm keeping it as "login" to
avoid a breaking change to the configuration.

 auth/auth.go     |  2 +-
 auth/pam.go      | 15 ++++++++++-----
 auth/pam_stub.go |  2 +-
 doc/soju.1.scd   |  5 +++--
 4 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/auth/auth.go b/auth/auth.go
index 188e149..39b4f8c 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -24,7 +24,7 @@ func New(driver, source string) (Authenticator, error) {
	case "oauth2":
		return newOAuth2(source)
	case "pam":
		return newPAM()
		return newPAM(source)
	default:
		return nil, fmt.Errorf("unknown auth driver %q", driver)
	}
diff --git a/auth/pam.go b/auth/pam.go
index a7f3663..f92b279 100644
--- a/auth/pam.go
+++ b/auth/pam.go
@@ -11,18 +11,23 @@ import (
	"git.sr.ht/~emersion/soju/database"
)

type pamAuth struct{}
type pamAuth struct {
	service string
}

var (
	_ PlainAuthenticator = (*pamAuth)(nil)
)

func newPAM() (Authenticator, error) {
	return pamAuth{}, nil
func newPAM(service string) (Authenticator, error) {
	if service == "" {
		service = "login"
	}
	return pamAuth{service}, nil
}

func (pamAuth) AuthPlain(ctx context.Context, db database.Database, username, password string) error {
	t, err := pam.StartFunc("login", username, func(s pam.Style, msg string) (string, error) {
func (auth pamAuth) AuthPlain(ctx context.Context, db database.Database, username, password string) error {
	t, err := pam.StartFunc(auth.service, username, func(s pam.Style, msg string) (string, error) {
		switch s {
		case pam.PromptEchoOff:
			return password, nil
diff --git a/auth/pam_stub.go b/auth/pam_stub.go
index 92b12cd..e0ce96f 100644
--- a/auth/pam_stub.go
+++ b/auth/pam_stub.go
@@ -6,6 +6,6 @@ import (
	"errors"
)

func newPAM() (Authenticator, error) {
func newPAM(service string) (Authenticator, error) {
	return nil, errors.New("PAM support is disabled")
}
diff --git a/doc/soju.1.scd b/doc/soju.1.scd
index f06d5f8..a4ea35b 100644
--- a/doc/soju.1.scd
+++ b/doc/soju.1.scd
@@ -235,8 +235,9 @@ The following directives are supported:
		and password in the URL. The authorization server must support OAuth 2.0
		Authorization Server Metadata (RFC 8414) and OAuth 2.0 Token
		Introspection (RFC 7662).
	*auth pam*
		Use PAM authentication.
	*auth pam* [service]
		Use PAM authentication. The service name is optional and defaults to
		"login".

# IRC SERVICE

-- 
2.45.1
Yeah, I think always using "soju" would make more sense (with a default
PAM config file which has "auth include login", like swaylock).

I don't think this would be a breaking change, since the behavior with
a newer soju (with the PAM config file) would be the same?

One annoying detail that we'd need to handle is installing the PAM config
file conditionally if PAM is enabled at build timeā€¦ Maybe it's time to
introduce a Makefile configuration mechanism or something?