Quoting Jonas Smedegaard (2025-11-06 19:45:10) > Control: tags -1 +wontfix > > Quoting Jonas Smedegaard (2025-11-06 19:09:39) > > Control: affects 562702 radicale > > > > Quoting Robert Ismo (2025-11-01 23:32:18) > > > was seeking to run radicale with PAM authentication. I installed the > > > python3-pam > > > package, and the service, was able to recognize it, however the interface > > > it was > > > expecting was all wrong. > > [...] > > > I updated radicale/auth/pam.py to reflect the interface that is in > > > python3-pam > > > version 0.4.2-19. > > [...] > > > The service now supports PAM authentication, I am able to login/logout > > > and it > > > stops me when I put in bad creedentials. > > > > Looks like this bugreport is tied to bug#562702. Tagging accordingly. > > > > Thanks for the patch - I will apply that now. > > Looking closer, I have decided to not apply your patch after all: > > Debian package python3-pam seems badly maintained upstream, but more > importantly calling PAM requires granting the web server access to > shadow group, which is a security risk. > > You are of course free to take that risk, but I won't maintain a patch > for doing that. > > What I recommend is to use the more convoluted approach of running a > dedicated authentication proxy as documented in the Debian package. > > Since you have invested the time in making the patch, you might prefer > the more lightweight approach over my recommended safer one. If so, > then I encourage you to propose upstream to include not one but two > PAM plugins, with the second one having your patches applied. If > upstream chooses to adopt your patch, then I will not get in the way of > distributing it as well - I just won't invest time in maintaining it > specifically for Debian when I find it unsafe and not strictly needed. > > Kind regards, and sorry for not accepting your work, > > I will keep this bugreport open, for others running into the same issue > who might prefer your lightweight fix over my convoluted and safer one.
Your patch is now included with the radicale source package, but commented out. That way it should be slightly easier for someone prefering lightweight over secure to rebuild the package. Thanks again, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ * Sponsorship: https://ko-fi.com/drjones [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
