Allow client authentication to be handled by an external script/process.
Warning: This module is not currently maintained, and may be buggy and insecure in certain configurations/environments. It is not recommended for production use. Please use one of the many other authentication modules.
mod_auth_external_insecure depends on a Lua module called lpty. You can install it on many platforms using LuaRocks, for example:
sudo luarocks install lptyAs with all auth modules, there is no need to add this to modules_enabled. Simply add in the global section, or for the relevant hosts:
authentication = "external_insecure"These options are specific to mod_auth_external_insecure:
| external_auth_protocol | May be “generic” or “ejabberd” (the latter for compatibility with ejabberd external auth scripts. Default is “generic”. |
| external_auth_command | The command/script to execute. |
Two other options are also available, depending on whether the module is running in ‘blocking’ or ‘non-blocking’ mode:
| external_auth_timeout | blocking | The number of seconds to wait for a response from the auth process. Default is 5. |
| external_auth_processes | non-blocking | The number of concurrent processes to spawn. Default is 1, increase to handle high connection rates efficiently. |
Non-blocking mode is experimental and is disabled by default.
Enable at your own risk if you fulfil these conditions:
external_auth_blocking = false;Prosody executes the given command/script, and sends it queries.
Your auth script should simply read a line from standard input, and write the result to standard output. It must do this in a loop, until there’s nothing left to read. Prosody can keep sending more lines to the script, with a command on each line.
Each command is one line, and the response is expected to be a single line containing “0” for failure or “1” for success. Your script must respond with “0” for anything it doesn’t understand.
There are three commands used at the moment:
Check if a user’s password is valid.
Example: auth:username:example.com:abc123
Note: The password can contain colons. Make sure to handle that.
Check if a user exists.
Example: isuser:username:example.com
Set a new password for the user. Implementing this is optional.
Example: setpass:username:example.com:abc123
Note: The password can contain colons. Make sure to handle that.
ejabberd implements a similar protocol. The main difference is that Prosody’s protocol is line-based, while ejabberd’s is length-prefixed.
Add this to your config if you need to use an ejabberd auth script:
external_auth_protocol = "ejabberd"| 0.8 | Works |
| 0.9 | Works |
With the plugin installer in Prosody 0.12 you can use:
sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_auth_external_insecureFor earlier versions see the documentation for installing 3rd party modules