[systemd-devel] How to authenticate login using org.freedesktop.login1

[Mantas Mikulėnas]

On Wed, May 24, 2023 at 9:42 AM Lal, Arun <arun.lal at intel.com> wrote:

> Hi All,
>
>
>
> I was trying to authenticate a user from a deamon running in my machine.
> And I found systemd-login can be used.
>
> I went through documentation for interface org.freedesktop.login1, but I
> am not clear on how it can be used.
>
>
>
> Lets assume that there is a deamon called xyz running in my device which
> has a webserver component. And it receives a request to login from https
> side.
>
> And once the deamon has username and password, I would like to invoke some
> dbus calls to org.freedesktop.login1 to perform the authentication.
>

systemd-logind does not have that functionality. It's a session manager,
not an authentication service. (And the sessions it manages are meant for
mostly interactive connections; not for webapp sessions.)

Usually system authentication is done by loading libpam in-process (must be
done from a privileged process running as root). If that is not possible
(e.g. if you're using an unprivileged webapp), the *saslauthd* daemon from
Cyrus-SASL would be one option – it is designed to be used by various
network services to validate passwords over a Unix socket interface and has
a PAM backend (`saslauthd -a pam`).

I don't know of other such daemons (surprisingly, SSSD doesn't expose an
authenticate call through its D-Bus interface either, keeping it internal
to PAM only), but that's the general approach if you plan on writing your
own.

-- 
Mantas Mikulėnas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20230524/2e87dbe2/attachment.htm>