Hello and welcome back to extremely obscure solutions to extremely obscure Linux problems! PAM is the thing in Linux that handles authentication whenever you log into your machine. Forgejo has a nice feature where you can compile it with PAM support and use PAM for authentication so you don’t have to manually add users to your Forgejo instance if they already have a normal Linux account on your machine. However, pam_unix.so, the PAM plugin used for authenticating Linux users, can only check if a password is correct for the user running the process. Basically, if you run Forgejo as the forgejo user, you can only verify passwords for the forgejo user. Two simple solutions: run Forgejo as root (please please please don’t) and give Forgejo access to the /etc/shadow file which stores password hashes. The second option is less bad but still worrisome because you’re basically handing out the crown jewels to all the code in Forgejo!
The actually pleasant solution to this is SSSD, which is a small daemon that runs as root so it can access /etc/shadow instead of having Forgejo access that file. (Actually SSSD is intended for a completely different use case, so this is a slight misuse of it.) First, install SSSD and create a config file at /etc/sssd/sssd.conf:
[sssd]
services = pam
domains = local
[domain/local]
id_provider = proxy
proxy_lib_name = files
proxy_pam_target = sssd-shadowutils
SSSD throws a tantrum if the config file doesn’t have 600 permissions, so set the permissions on that file and start SSSD. Lastly, create a PAM config in /etc/pam.d/sssd:
#%PAM-1.0
auth required pam_sss.so
account required pam_sss.so
password required pam_sss.so
session required pam_sss.so
Now you should specify sssd for the PAM service name in the Forgejo settings. And that’s it. Hooray!
Or actually no, you might need a bit more configuration. Check out this ArchWiki page that I wrote.