PAM авторизация с libpam-pwdfile

dante/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.6
+FROM alpine:latest
 
 LABEL maintainer="<schors@gmail.com>"
 
@@ -8,15 +8,24 @@ ENV DANTE_SHA baa25750633a7f9f37467ee43afdf7a95c80274394eddd7dcd4e1542aa75caad
 ENV DANTE_FILE dante.tar.gz
 ENV DANTE_TEMP dante
 ENV DANTE_DEPS linux-pam-dev curl gcc g++ make
+ENV PWDFILE_URL https://github.com/tiwe-de/libpam-pwdfile/archive/v1.0.tar.gz
+ENV PWDFILE_TEMP pam_pwdfile
 ENV WORKERS "10"
 ENV PORT "1080"
 
 RUN set -x \
   # Runtime dependencies
   && apk --no-cache add \
-    bash apg \
+    bash apg linux-pam openssl \
   # Build dependencies
   && apk add --no-cache -t .build-deps $DANTE_DEPS \
+  # Make pam_pwdfile.so
+  && mkdir $PWDFILE_TEMP \
+  && cd $PWDFILE_TEMP \
+  && curl -sSL $PWDFILE_URL | tar xz --strip 1 \
+  && make -j$(getconf _NPROCESSORS_ONLN) install \
+  && cd .. \
+  # Make Dante
   && mkdir -p $DANTE_TEMP \
   && cd $DANTE_TEMP \
   && curl -sSL $DANTE_URL -o $DANTE_FILE \
@@ -29,15 +38,15 @@ RUN set -x \
     --disable-client \
     --disable-pidfile \
     --without-libwrap \
-    --without-pam \
     --without-bsdauth \
     --without-gssapi \
     --without-krb5 \
     --without-upnp \
-  && make && make install \
+  && make -j$(getconf _NPROCESSORS_ONLN) && make install \
+  && adduser sockd -s /bin/false -DH \
   # Clean up
   && cd .. \
-  && rm -rf $DANTE_TEMP \
+  && rm -rf $PWDFILE_TEMP $DANTE_TEMP \
   && apk del --purge .build-deps \
   && rm -rf /var/cache/apk/* /tmp/*
 

dante/files/conf/dante.conf

@@ -8,12 +8,13 @@ external: eth0
 
 #server identities (not needed on solaris)
 user.privileged: root
-user.notprivileged: nobody
+user.notprivileged: sockd
 
+socksmethod: pam.username
 
 #authentication methods
 clientmethod: none
-socksmethod: username
+
 
 
 # allow any client connection
@@ -51,57 +52,57 @@ socks block {
 socks pass {
     from: 0.0.0.0/0 to: 91.108.4.0/22
     log: connect disconnect error
-    socksmethod: username
+    socksmethod: pam.username
 }
 socks pass {
     from: 0.0.0.0/0 to: 91.108.8.0/22
     log: connect disconnect error
-    socksmethod: username
+    socksmethod: pam.username
 }
 socks pass {
     from: 0.0.0.0/0 to: 91.108.12.0/22
     log: connect disconnect error
-    socksmethod: username
+    socksmethod: pam.username
 }
 socks pass {
     from: 0.0.0.0/0 to: 91.108.16.0/22
     log: connect disconnect error
-    socksmethod: username
+    socksmethod: pam.username
 }
 socks pass {
     from: 0.0.0.0/0 to: 91.108.56.0/22
     log: connect disconnect error
-    socksmethod: username
+    socksmethod: pam.username
 }
 socks pass {
     from: 0.0.0.0/0 to: 149.154.160.0/20
     log: connect disconnect error
-    socksmethod: username
+    socksmethod: pam.username
 }
 socks pass {
     from: 0.0.0.0/0 to: 149.154.164.0/20
     log: connect disconnect error
-    socksmethod: username
+    socksmethod: pam.username
 }
 socks pass {
     from: 0.0.0.0/0 to: 149.154.168.0/20
     log: connect disconnect error
-    socksmethod: username
+    socksmethod: pam.username
 }
 socks pass {
     from: 0.0.0.0/0 to: 149.154.170.0/20
     log: connect disconnect error
-    socksmethod: username
+    socksmethod: pam.username
 }
 socks pass {
     from: 0/0 to: .telegram.org
     log: connect disconnect error
-    socksmethod: username
+    socksmethod: pam.username
 }
 socks pass {
     from: 0/0 to: .t.me
     log: connect disconnect error
-    socksmethod: username
+    socksmethod: pam.username
 }
 
 # deny the rest