[Twisted-web] Nevow, guard and PAM

Phil Mayers p.mayers at imperial.ac.uk
Mon Oct 24 15:53:51 MDT 2005

A common requirement (I imagine) is to hook Nevow/Guard authentication 
out to system auth; even more commonly PAM, though maybe not. This is a 
relatively straightforward recipie that works for me. See:


Basically, a Cred checker for IUsernamePassword is written; it writes 
the u/p down the unix socket to Cyrus SASLs "saslauthd", and callbacks 
or errbacks a deferred as appropriate.

My RHEL3 box has:


FLAGS="-c -n 0"

...and /etc/pam.d/MYSERVICE:

auth       required     /lib/security/$ISA/pam_krb5.so no_user_check
account    required     /lib/security/$ISA/pam_permit.so
password   required     /lib/security/$ISA/pam_permit.so
session    required     /lib/security/$ISA/pam_permit.so

...Kerberos being used to hand off to AD.

There's also some code in there to handle jumping "straight in" to a 
guarded hiearchy; specifically the locateChild and data_misc / 
"form(action=T.slot('action'))" idiom. I *think* this is right, but may 
not be completely general. I'd appreciate comments.

More information about the Twisted-web mailing list