Hi, I've investigated further the PAM functionality on Kannel's smsbox by infering things from the source code.
I've managed to make it work over OSX Leopard 10.5.5 using Apple's internal authentication system (Apple Security Server, replacing /etc/passwd and friends). To clarify: by using PAM authentication, the sendsms users can be managed at system level and be added/removed without restarting Kannel. Furthermore, since PAM supports a myriad of authentication modules, Kannel could authenticate against any of them (for example, LDAP). There are a few edges on Kannel's PAM implementation that I think needs improving: 1. PAM functionality is activated by defining a sendsms-user group named "pam", with a dummy password. This is too cryptic imho and should be replaced by a "use-pam" or similar configuration switch that turns PAM subsystem on or off at service startup. 2. PAM functionality disables all other "sendsms-user" groups, so if a sendsms-user group with the name "pam" exists, all other "sendsms-user" groups are disabled and only PAM can be used to authenticate. I've made a small patch that checks the regular "sendsms-user" groups if the user is not found by using PAM. This could be further improved to be able to stipulate the "order" (PAM->Conf or Conf->PAM). 3. PAM users are masqueraded under a "sendsms-user" group named "pam". So, all PAM-authenticated users share a single "sendsms-user" group with all it's configuration attributes. I think this lacks a lot of flexibility and should be improved to be able to map PAM users to specific "sendsms-user" groups. I'm thinking about where to put the mappings (maybe bringing system groups into the equation would make sense, so users belonging to a particular system group would be automagically mapped to a particular "sendsms-user" group). 4. Last but not least: Documentation! ;) I can write the missing userguide pieces, I still need to check it over LDAP and Linux (since the auth scheme is different than on my Mac). Regards, Alejandro Guerrieri
