PAM Authentication for Kannel

Though kannel already has some pam functionality included, it’s far from optimal imho.

As it is now, to use pam authentication you have to:

1. Configure with –enable-pam and compile.
2. Create an smsbox-user called “pam” with a dummy password.
3. Create a pam configuration file called “kannel” on /etc/pam.d/, with your pam settings.
4. Kannel will then use only pam for authentication, so you could use LDAP, Radius or whatever supported authentication modules you have configured on the box.

However:

* Other smsbox-user‘s are disabled, only the “pam” user is allowed to authenticate.
* All users would get logged as “pam”, so you cannot make settings per users of any kind.
* Only one pam group is allowed.

After applying the patch, pam authentication gets managed with a special group sendsms-pam-user, which shares most of sendsms-user parameters, except for username and password, and adds the acl parameter instead.

group = sendsms-pam-user
acl = kannel
<other sendsms-user parameters>

* You can define as many groups as needed, pointing to different pam configuration files.
* The acl parameter points to the pam module on /etc/pam.d/ (“kannel” in this case, but could be anything you want).
* Pam authentication is only attempted after trying the regular sendsms-user way, so you can have local users and pam users at the same time (local taking precedence).
* Each sendsms-pam-user group will be logged separately, and you’ll also get info about the pam user making the call.

To use the patch:

1. Download the patch here and apply it.
2. Run ./bootstrap.sh
3. Run ./configure –enable-pam
4. make and make install as usual.

As usual, please try it and let me know what you think.

-Alex

Comments (1)

MirandaNovember 1st, 2010 at 9:10 am

Hello, Alejandro.

Do you have kannel-pam-patch for 1.5.0 version of kannel?

Leave a comment

Your comment