Prosody IM and local users - Networks PYMES

General index of the series: Computer Networks for SMEs: Introduction

This article is a continuation of:

• Squid + PAM Authentication on CentOS 7.
• Local user and group management
• Authoritative DNS Server NSD + Shorewall
  

Hello friends and friends!

We continue to add network services based on local user authentication to the small group server. Enthusiasts Free Software, specifically CentOS.

The group's working conditions changed for the better. They now have as headquarters a three-story house with a basement and need to implement an instant messaging server and file transfer between workstations, to alleviate the difficulty of going up and down stairs or a lot of walking. ;-). For this they propose to use the program Prosody.

They are determined to publish the Internet Chat service only for Enthusiasts, and they plan to link their instant messaging server with other compatible XMPP servers located in the Network of Networks. For this they bought the domain name desdelinux.fan and until now the IP address associated with that name is managed by your Internet access provider.

The Chat through Prosody service will allow them to exchange instant messages, transfer files, make voice and video conferences, and more.

What is Prosody Instant Messenger?

Prosody it is a modern communication server based on the XMPP protocol. It is designed for easy installation and configuration, and efficient management of system resources. Prosody is an Open Source - Open Source program created under the permissive license MIT / X11.

XMPP it is a non-commercial alternative to provide instant messaging services. It can be implemented in a production business environment, in a family network, private network of neighbors, and so on. It supports a wide range of client software for desktop and mobile platforms. Through XMPP this service can be provided to any device.

Additionally, they can link several installations of Prosody and other services that are compatible with the XMPP protocol, and form a messaging network in which we will have total control of the message and file traffic that will occur in a totally secure way.

Prosody and authentication against local users

At Prosody IM Site Map we found the link to the page Authentication Providers, which states that as of version 0.8 of Prosody, various authentication providers are supported through plugins. You can use the drivers built-in software, or you can integrate with third-party authentication and storage providers using their APIs.

Authentication providers we may employ

Name Description -------------- ---------------------------------- -----------------------
internal_plain   Default authentication. Plain text passwords are stored using built-in storage.

internal_hashed  Passwords encoded by an internal algorithm are stored using built-in storage.

Cyrus       Integration with Cyrus SASL (LDAP, PAM, ...)

anonymous    Authentication mechanism using SASL 'ANONYMOUS' with random username that does not require authentication credentials.

XMPP uses the standard Secure Layer Simple Authentication protocol for authentication - Simple Aauthentication and Secure LYesterday (SASL), to validate the credentials of the clients. Prosody incorporates the library SASL which by default validates credentials against existing accounts in its built-in storage.

Since version 0.7 of Prosody, external provider is supported Cyrus SALS which can validate the credentials supplied by external users against other sources such as: PAM, LDAP, SQL and others. It also allows the use of GSSAPI for Single Sign-On Services - Single Sign-on Services.

In this article on Prosody, to achieve authentication against local users via PAM, we will use the authentication provider «Cyrus»Provided by the package«cyrus sasl»And that works integrated with the daemon saslauthd.

cyrus-sasl and saslauthd

[root @ linuxbox ~] # yum install cyrus-sasl

The saslauthd daemon is already installed

[root @ linuxbox ~] # getsebool -a | grep saslauthd
saslauthd_read_shadow -> off

[root @ linuxbox ~] # setsebool saslauthd_read_shadow on
[root @ linuxbox ~] # getsebool -a | grep saslauthd
saslauthd_read_shadow -> on

[root @ linuxbox ~] # systemctl status saslauthd
● saslauthd.service - SASL authentication daemon. Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; disabled; vendor preset: disabled) Active: inactive (dead)

[root @ linuxbox ~] # systemctl enable saslauthd
Created symlink from /etc/systemd/system/multi-user.target.wants/saslauthd.service to /usr/lib/systemd/system/saslauthd.service.

[root @ linuxbox ~] # systemctl start saslauthd
[root @ linuxbox ~] # systemctl status saslauthd
● saslauthd.service - SASL authentication daemon. Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2017-04-29 10:31:20 EDT; 2s ago Process: 1678 ExecStart = / usr / sbin / saslauthd -m $ SOCKETDIR -a $ MECH $ FLAGS (code = exited, status = 0 / SUCCESS) Main PID: 1679 (saslauthd) CGroup: /system.slice/saslauthd. service ├─1679 / usr / sbin / saslauthd -m / run / saslauthd -a pam ├─1680 / usr / sbin / saslauthd -m / run / saslauthd -a pam ├─1681 / usr / sbin / saslauthd -m / run / saslauthd -a pam ├─1682 / usr / sbin / saslauthd -m / run / saslauthd -a pam └─1683 / usr / sbin / saslauthd -m / run / saslauthd -a pam

Prosody and lua-cyrussasl

[root @ linuxbox ~] # yum install prosody
---- Dependencies resolved ========================================== ==================================== Package Architecture Version Repository Size ========= ================================================= ===================== Installing: prosody x86_64 0.9.12-1.el7 Epel-Repo 249 k Installing for dependencies: lua-expat x86_64 1.3.0- 4.el7 Epel-Repo 32 k lua-filesystem x86_64 1.6.2-2.el7 Epel-Repo 28 k lua-sec x86_64 0.5-4.el7 Epel-Repo 31 k lua-socket x86_64 3.0-0.10.rc1.el7 Epel -Repo 176k Transaction Summary ========================================= ====================================== Install 1 Package (+4 Dependent Packages) --- -

[root @ linuxbox ~] # getsebool -a | grep prosody
prosody_bind_http_port -> off
[root @ linuxbox ~] # setsebool prosody_bind_http_port on
[root @ linuxbox ~] # getsebool -a | grep prosody
prosody_bind_http_port -> on

[root @ linuxbox ~] # systemctl enable prosody
Created symlink from /etc/systemd/system/multi-user.target.wants/prosody.service to /usr/lib/systemd/system/prosody.service. [root @ linuxbox ~] # systemctl status prosody ● prosody.service - Prosody XMPP (Jabber) server Loaded: loaded (/usr/lib/systemd/system/prosody.service; enabled; vendor preset: disabled) Active: inactive (dead )

[root @ linuxbox ~] # systemctl start prosody
[root @ linuxbox ~] # systemctl status prosody
● prosody.service - Prosody XMPP (Jabber) server Loaded: loaded (/usr/lib/systemd/system/prosody.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2017-04-29 10:35:07 EDT; 2s ago Process: 1753 ExecStart = / usr / bin / prosodyctl start (code = exited, status = 0 / SUCCESS) Main PID: 1756 (lua) CGroup: /system.slice/prosody.service └─1756 lua / usr / lib64 /prosody/../../bin/prosody

[root @ linuxbox ~] # tail /var/log/prosody/prosody.log
Apr 29 10:35:06 general info Hello and welcome to Prosody version 0.9.12 Apr 29 10:35:06 general info Prosody is using the select backend for connection handling Apr 29 10:35:06 portmanager info Activated service 's2s' on [::]: 5269, [*]: 5269 Apr 29 10:35:06 portmanager info Activated service 'c2s' on [::]: 5222, [*]: 5222 Apr 29 10:35:06 portmanager info Activated service 'legacy_ssl' on no ports Apr 29 10:35:06 mod_posix info Prosody is about to detach from the console, disabling further console output Apr 29 10:35:06 mod_posix info Successfully daemonized to PID 1756

[root @ linuxbox ~] # yum install lua-cyrussasl

We create the virtual host «chat.desdelinux.fan" from the "example.com" that Prosody installs

[root @ linuxbox ~] # cp /etc/prosody/conf.d/example.com.cfg.lua \
/etc/prosody/conf.d/chat.desdelinux.fan.cfg.lua

[root @ linuxbox ~] # nano /etc/prosody/conf.d/chat.desdelinux.fan.cfg.lua
- Section for VirtualHost chat

VirtualHost "chat.desdelinux.fan"

- Assign this host a certificate for TLS, otherwise it would use the one - set in the global section (if any). - Note that old-style SSL on port 5223 only supports one certificate, - and will always use the global one.
        ssl = {
                 key = "/etc/pki/prosody/chat.key";
                certificate = "/etc/pki/prosody/chat.crt";
        }

------ Components ------ -- You can specify components to add hosts that provide special services, -- like multi-user conferences, and transports. -- For more information on components, see http://prosody.im/doc/components ---Set up a MUC (multi-user chat) room server on conference.chat.desdelinux.fan:
Component "conference.chat.desdelinux.fan" "muc"
name = "Enthusiasts" - IS THE NAME OF THE CONFERENCE ROOM TO DECLARE - WHEN WILL YOU JOIN THE ROOM
restrict_room_creation = true

- Set up a SOCKS5 bytestream proxy for server-proxied file transfers: --Component "proxy.chat" "proxy65" --- Set up an external component (default component port is 5347) - - External components allow adding various services, such as gateways / - transports to other networks like ICQ, MSN and Yahoo. For more info - see: http://prosody.im/doc/components#adding_an_external_component - --Component "gateway.chat" - component_secret = "password"

authentication = "cyrus"
cyrus_service_name = "xmpp"
cyrus_require_provisioning = false
cyrus_application_name = "prosody"
cyrus_server_fqdn = "chat.desdelinux.fan"

We adjust the group that owns the /etc/prosody/conf.d/chat file.desdelinux.fan.cfg.lua

[root @ linuxbox ~] # ls -l /etc/prosody/conf.d/chat.desdelinux.fan.cfg.lua 
-rw-r -----. 1 rootroot 1361 Apr 29 10:45 /etc/prosody/conf.d/chat.desdelinux.fan.cfg.lua

[root @ linuxbox ~] # chown root: prosody /etc/prosody/conf.d/chat.desdelinux.fan.cfg.lua 
[root @ linuxbox ~] # ls -l /etc/prosody/conf.d/chat.desdelinux.fan.cfg.lua 
-rw-r-----. 1 root prosody 1361 Apr 29 10:45 /etc/prosody/conf.d/chat.desdelinux.fan.cfg.lua

We check the configuration

[root @ linuxbox ~] # luac -p /etc/prosody/conf.d/chat.desdelinux.fan.cfg.lua
[root @ linuxbox ~] #

SSL certificates for secure connections

To connect to the Prosody server -both from the local network and from the Internet- and ensure that the credentials travel securely encrypted, we must generate the SSL certificates - Security Socket Layer declared in the virtual host configuration file /etc/prosody/conf.d/chat.desdelinux.fan.cfg.lua:

[root @ linuxbox ~] # cd / etc / prosody / certs /

[root @ linuxbox certs] # ​​openssl req -new -x509 -days 365 -nodes \
-out "chat.crt" -newkey rsa: 2048 -keyout "chat.key"
Generating a 2048 bit RSA private key .....+++ ..........+++ writing new private key to 'chat.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CU State or Province Name (full name) []:Cuba Locality Name (eg, city) [Default City]:Havana Organization Name (eg, company) [ Default Company Ltd]:FromLinux.Fan Organizational Unit Name (eg, section) []:Enthusiasts Common Name (eg, your name or your server's hostname) []:chat.desdelinux.fan Email Address []:buzz@desdelinux.fan

We modify the global configuration options

Only we will edit the following options in the file /etc/prosody/prosody.cfg.lua:

[root @ linuxbox certs] # ​​cp /etc/prosody/prosody.cfg.lua \ /etc/prosody/prosody.cfg.lua.original [root @ linuxbox ~] # nano /etc/prosody/prosody.cfg.lua
- Prosody Example Configuration File - - Information on configuring Prosody can be found on our - website at http://prosody.im/doc/configure - - Tip: You can check that the syntax of this file is correct - when you have finished by running: luac -p prosody.cfg.lua - If there are any errors, it will let you know what and where - they are, otherwise it will keep quiet. - - The only thing left to do is rename this file to remove the .dist ending, and fill in the - blanks. Good luck, and happy Jabbering! ---------- Server-wide settings ---------- - Settings in this section apply to the whole server and are the default settings - for any virtual hosts - This is a (by default, empty) list of accounts that are admins - for the server. Note that you must create the accounts separately - (see http://prosody.im/doc/creating_accounts for info) - Example: admins = {"user1@example.com", "user2@example.net"}
admins = { "buzz@chat.desdelinux.fan", "trancos@chat.desdelinux.fan" }

- Enable use of libevent for better performance under high load - For more information see: http://prosody.im/doc/libevent --use_libevent = true; - This is the list of modules Prosody will load on startup. - It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. - Documentation on modules can be found at: http://prosody.im/doc/modules modules_enabled = {- Generally required "roster"; - Allow users to have a roster. Recommended;) "saslauth"; - Authentication for clients and servers. Recommended if you want to log in. "tls"; - Add support for secure TLS on c2s / s2s connections "dialback"; - s2s dialback support "disk"; - Service discovery - Not essential, but recommended "private"; - Private XML storage (for room bookmarks, etc.) "vcard"; - Allow users to set vCards - These are commented by default as they have a performance impact - "privacy"; - Support privacy lists - "compression"; - Stream compression (Note: Requires installed lua-zlib RPM package) - Nice to have "version"; - Replies to server version requests "uptime"; - Report how long server has been running "time"; - Let others know the time here on this server "ping"; - Replies to XMPP pings with pongs "pep"; - Enables users to publish their mood, activity, playing music and more "register"; - Allow users to register on this server using a client and change passwords - Admin interfaces "admin_adhoc"; - Allows administration via an XMPP client that supports ad-hoc commands - "admin_telnet"; - Opens telnet console interface on localhost port 5582 - HTTP modules
        "bosh"; - Enable BOSH clients, aka "Jabber over HTTP"
        - "http_files"; - Serve static files from a directory over HTTP - Other specific functionality "posix"; - POSIX functionality, sends server to background, enables syslog, etc. - "groups"; - Shared roster support - "announce"; - Send announcement to all online users - "welcome"; - Welcome users who register accounts - "watchregistrations"; - Alert admins of registrations - "motd"; - Send a message to users when they log in - "legacyauth"; - Legacy authentication. Only used by some old clients and bots. };

bosh_ports = {{port = 5280; path = "http-bind"; interface = "127.0.0.1"; }}

bosh_max_inactivity = 60
- Use if proxying HTTPS-> HTTP on the server side
consider_bosh_secure = true
- Allow access from scripts on any site with no proxy (requires a modern browser)
cross_domain_bosh = true

- These modules are auto-loaded, but should you want - to disable them then uncomment them here: modules_disabled = {- "offline"; - Store offline messages - "c2s"; - Handle client connections - "s2s"; - Handle server-to-server connections}; - Disable account creation by default, for security - For more information see http://prosody.im/doc/creating_accounts allow_registration = false; - These are the SSL / TLS-related settings. If you don't want - to use SSL / TLS, you may comment or remove this ssl = {key = "/etc/pki/prosody/localhost.key"; certificate = "/etc/pki/prosody/localhost.crt"; } - Force clients to use encrypted connections? This option will - prevent clients from authenticating unless they are using encryption.

c2s_require_encryption = true

- Force certificate authentication for server-to-server connections? - This provides ideal security, but requires servers you communicate - with to support encryption AND present valid, trusted certificates. - NOTE: Your version of LuaSec must support certificate verification! - For more information see http://prosody.im/doc/s2s#security s2s_secure_auth = false - Many servers don't support encryption or have invalid or self-signed - certificates. You can list domains here that will not be required to - authenticate using certificates. They will be authenticated using DNS. --s2s_insecure_domains = {"gmail.com"} - Even if you leave s2s_secure_auth disabled, you can still require valid - certificates for some domains by specifying a list here. --s2s_secure_domains = {"jabber.org"} - Select the authentication backend to use. The 'internal' providers - use Prosody's configured data storage to store the authentication data. - To allow Prosody to offer secure authentication mechanisms to clients, the - default provider stores passwords in plaintext. If you do not trust your - server please see http://prosody.im/doc/modules/mod_auth_internal_hashed - for information about using the hashed backend.

- authentication = "internal_plain"
authentication = "cyrus"
cyrus_service_name = "xmpp"
cyrus_require_provisioning = false

- Select the storage backend to use. By default Prosody uses flat files - in its configured data directory, but it also supports more backends - through modules. An "sql" backend is included by default, but requires - additional dependencies. See http://prosody.im/doc/storage for more info. --storage = "sql" - Default is "internal" (Note: "sql" requires installed - lua-dbi RPM package) - For the "sql" backend, you can uncomment * one * of the below to configure : --sql = {driver = "SQLite3", database = "prosody.sqlite"} - Default. 'database' is the filename. --sql = {driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost"} --sql = {driver = "PostgreSQL", database = "prosody ", username =" prosody ", password =" secret ", host =" localhost "} - Logging configuration - For advanced logging see http://prosody.im/doc/logging log = {- Log everything of level "info" and higher (that is, all except "debug" messages) - to /var/log/prosody/prosody.log and errors also to /var/log/prosody/prosody.err
    debug = "/var/log/prosody/prosody.log"; - Change 'info' to 'debug' for verbose logging
    error = "/var/log/prosody/prosody.err"; - Log errors also to file - error = "* syslog"; - Log errors also to syslog - log = "* console"; - Log to the console, useful for debugging with daemonize = false} - POSIX configuration, see also http://prosody.im/doc/modules/mod_posix pidfile = "/run/prosody/prosody.pid"; --daemonize = false - Default is "true" ------ Additional config files ------ - For organizational purposes you may prefer to add VirtualHost and - Component definitions in their own config files. This line includes - all config files in /etc/prosody/conf.d/ Include "conf.d / *. Cfg.lua"

Modifications in the configuration of Dnsmasq in linuxbox

/Etc/dnsmasq.conf file

Just add the value cname=chat.desdelinux.fan,linuxbox.desdelinux.fan:

[root @ linuxbox ~] # nano /etc/dnsmasq.conf

----- # -------------------------------------------- ----------------------- # RECORDSCNAMEMXTXT # ------------------------ ------------------------------------------- # This type of registration requires an entry # in the /etc/hosts file # ex: 192.168.10.5 linuxbox.desdelinux.fan linuxbox # cname=ALIAS,REAL_NAME cname=mail.desdelinux.fan,linuxbox.desdelinux.fan
cname=chat.desdelinux.fan,linuxbox.desdelinux.fan
----

[root @ linuxbox ~] # service dnsmasq restart
[root @ linuxbox ~] # service dnsmasq status [root @ linuxbox ~] # host chat
chatdesdelinux.fan is an alias for linuxbox.desdelinux.fan. linuxbox.desdelinux.fan has address 192.168.10.5 linuxbox.desdelinux.fan mail is handled by 1 mail.desdelinux.fan.

/Etc/resolv.conf file

[root @ linuxbox ~] # nano /etc/resolv.conf 
search desdelinux.fan nameserver 127.0.0.1 # For external or # non-domain DNS queries desdelinux.fan # local=/desdelinux.fan/ nameserver 172.16.10.30

Modifications in the external DNS at the ISP

We dedicate the entire article «NSD Authoritarian DNS Server + Shorewall - SME Networks»To the topic of how to declare the SRV records related to XMPP so that the Instant Messaging service could go to the Internet, and even so that the Prosody server could federate with the rest of the compatible XMPP servers existing on the Web.

We restart Prosody

[root @ linuxbox ~] # service prosody restart
Redirecting to / bin / systemctl restart prosody.service
[root @ linuxbox ~] # service prosody status
Redirecting to / bin / systemctl status prosody.service ● prosody.service - Prosody XMPP (Jabber) server Loaded: loaded (/usr/lib/systemd/system/prosody.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2017-05-07 12:07:54 EDT; 8s ago Process: 1388 ExecStop = / usr / bin / prosodyctl stop (code = exited, status = 0 / SUCCESS) Process: 1390 ExecStart = / usr / bin / prosodyctl start (code = exited, status = 0 / SUCCESS) Main PID : 1393 (lua) CGroup: /system.slice/prosody.service └─1393 lua /usr/lib64/prosody/../../bin/prosody

[root @ linuxbox ~] # tail -f /var/log/prosody/prosody.log

• It is very healthy to open a new console with the previous command running, and watch the output of the Prosody debug while the service restarts.

We configure Cyrus SASL

[root @ linuxbox ~] # nano /etc/sasl2/prosody.conf
pwcheck_method: saslauthd mech_list: PLAIN

[root @ linuxbox ~] # service saslauthd restart
Redirecting to / bin / systemctl restart saslauthd.service
[root @ linuxbox ~] # service saslauthd status

-- If...
[root @ linuxbox ~] # service prosody restart

PAM configuration

[root @ linuxbox ~] # nano /etc/pam.d/xmpp
auth include password-auth account include password-auth

PAM authentication checks

• To check, we have to execute the following command EXACTLY as indicated below, since it is about executing a command as the "prosody" user and not as the "root" user:

[root @ linuxbox ~] # sudo -u prosody testsaslauthd -s xmpp -u strides -p strides
0: OK "Success."

[root @ linuxbox ~] # sudo -u prosody testsaslauthd -s xmpp -u legolas -p legolas
0: OK "Success."

[root @ linuxbox ~] # sudo -u prosody testsaslauthd -s xmpp -u legolas -p Lengolas
0: NO "authentication failed"

The authentication process against local users works correctly.

We modify the FirewallD

Using the graphical utility «firewalls«, For the area«public»We activate the services:

• xmpp-bosch
• xmpp-client
• xmpp-server
• xmpp-local

Similarly for the area «external»We activate the services:

• xmpp-client
• xmpp-server

And we open the ports tcp 5222 and 5269.

Finally, we make changes to Execution time a Permanent y reload the FirewallD.

XMPP Psi Client

To connect to the newly installed Prosody Instant Messaging server, we can choose between the various clients that exist:

• Empathy
• Cheer up
• Kadu
• Psi
• psi plus
• Pidgin
• Telepathy
• Wechat

The list goes on. We chose the Psi +. To have it installed we use the preferred command for it or we do it through the graphic tools available for that task. Once installed, we execute it, and at the end of the article we give a series of images that we hope will be useful to you.

Summary

• We can install an Instant Messaging service based on Prosody for local users of the system, and dispense with the creation of internal Prosody users or other types of authentication credential storage.
• The authentication credentials will travel encrypted from the client to the server, and the latter's responses to the client as well.
• We can install more than one service based on local authentication through PAM on a single server.
• Until now, the server linuxbox.desdelinux.fan provides the following services to the SME Network:
  • Resolution of Domain Names or DNS.
  • Dynamic allocation of IP or DCHP addresses
  • Network Time Service or NTP
  • Backups through SSH from UNIX / Linux clients, or through WinSCP for Microsoft Windows clients.
  • Instant Messaging Service - Chat. Also available from the Internet.
    
  • File sharing service through the Chat itself. Also available from the Internet
  • Teleconferencing service that you can configure in Prosody.

And all the previous services with a couple of graphical tools for the configuration of the Firewall - FirewallD, and for the User and Group Management of the system that are truly easy to use if we have the basic knowledge about what we want to do.

Important

Be sure to visit the following URL to have complete information about him Prosody: http: //prosody.im.

Until the next installment!