nigelcunningham / pam-mysql Goto Github PK
View Code? Open in Web Editor NEWPAM MySQL
License: GNU General Public License v2.0
pam-mysql's Introduction
pam_mysql - A PAM authentication module against MySQL database. Formerly maintained by Moriyoshi Koizumi at https://sourceforge.net/projects/pam-mysql/ Now taken care of by Nigel Cunningham at https://github.com/NigelCunningham/pam-MySQL pam-MySQL 1.0.0-beta3 ===================== This is the source code for pam-MySQL, released under the GPL v2 or later. The 1.0 release is a huge refactor of the code, switching the build system to Meson and splitting the monolithic pam-mysql.c into a number of files so that I can begin to make it unit testable, plus starting to implement those tests. Support in the Joomla space for SHA256 and bcrypt algorithms has been added in beta3. I'm not a Joomla user so would appreciate actual users confirming it all works as intended. SDG! Installation ============ pam-MySQL requires the following minimum versions: - Meson 0.56 1. You will need build dependencies installed see below for OS specific instructions in addition to the following general sequence. 2. Install the meson build system, if you don't already have it. http://mesonbuild.com/. 3. From the source tree, run meson ../pam-MySQL-build. The directory will be created by meson. 4. Switch to the build directory and run ninja to perform the actual build. 5. You can also run unit tests: meson test 6. Install by running ninja install. All in one line, using a subdirectory: mkdir build && meson build && (cd build; ninja && meson test && ninja install) The 1.0 release of pam-MySQL has been tested with: - ArchLinux - Linux Mint 20.1 - Centos 8 - Rocky Linux 9 OS Specific Instructions ------------------------ * Ubuntu: (Modified from #28): apt install -y build-essential libpam-dev libssl-dev mysql-server meson libmariadbclient-dev libmariadb-dev-compat gcc-10 * CentOS 8: yum install gcc mariadb-devel pam-devel mysql.x86_64 python3 yum install gcc python3 git mariadb-devel pam-devel pip3 install meson ninja The following is the original (and still valid) readme. ===================================================================== Introduction ------------ This is a successor of the "old" pam_mysql module, which comes with a more stable, secure and robust implementation. Prerequisites ------------- To try this module, you need the following stuff: - A *NIX (or similar) system, in which PAM facility is set up and working either system-wide or in a chroot jail. - A MySQL server, up and running. Installation instruction ------------------------ See INSTALL.pam-mysql file for detail. An example of the configuration file: --------------------------------------------------------------- auth optional pam_mysql.so user=root passwd=password account required pam_mysql.so user=root passwd=password --------------------------------------------------------------- Available options ----------------- The module options are listed below with default in ()s: verbose (0) If set to 1, produces logs with detailed messages that describes what PAM-MySQL is doing. May be useful for debugging. debug An alias for the verbose option. This is added in 0.7pre2. user The user name used to open the specified MySQL database. passwd The password used to open the specified MySQL database. host The host name or the absolute path to the unix socket where the MySQL server is listening. The following formats are accepted: 1. absolute path to the unix socket (e.g. "/tmp/mysql.sock") 2. host name (e.g. "somewhere.example.com") 3. host name + port number (e.g. "somewhere.example.com:3306") db The name of the database that contains a user-password table. table The name of table that maps unique login names to the passwords. This can be a combination of tables with full JOIN syntax if you need more control. For example: [table=Host LEFT JOIN HostUser ON HostUser.host_id=Host.id \ LEFT JOIN User ON HostUser.user_id=User.id] update_table The name of the table used for password alteration. If not defined, the value of the "table" option will be used instead. This is handy if you have a complex JOIN instead of a simple table in the "table" option above. usercolumn The name of the column that contains a unix login name. Should be in a fully qualified form. passwdcolumn The name of the column that contains a (encrypted) password string. Should be in a fully qualified form. statcolumn The name of the column or an SQL expression that indicates the status of the user. The status is expressed by the combination of two bitfields shown below: bit 0 (0x01): if flagged, pam_mysql deems the account to be expired and returns PAM_ACCT_EXPIRED. That is, the account is supposed to no longer be available. Note this doesn't mean that pam_mysql rejects further authentication operations. bit 1 (0x02): if flagged, pam_mysql deems the authentication token (password) to be expired and returns PAM_NEW_AUTHTOK_REQD. This ends up requiring that the user enter a new password. This option is available since 0.6. crypt (plain) The method to encrypt the user's password: 0 (or "plain") = No encryption. Passwords stored in plaintext. HIGHLY DISCOURAGED. 1 (or "Y") = Use crypt(3) function. 2 (or "mysql") = Use MySQL PASSWORD() function. It is possible that the encryption function used by PAM-MySQL is different from that of the MySQL server, as PAM-MySQL uses the function defined in MySQL's C-client API instead of using PASSWORD() SQL function in the query. 3 (or "md5") = Use plain hex MD5. 4 (or "sha1") = Use plain hex SHA1. 5 (or "drupal7") = Use Drupal7 salted passwords 6 (or "joomla15") 7 (or "ssha") 8 (or "sha512") 9 (or "sha256") md5 (false) Use MD5 by default for crypt(3) hash. Only meaningful when crypt is set to "Y". sha256 (false) Use SHA-256 by default for crypt(3) hash. Only meaningful when crypt is set to "Y". sha512 (false) Use SHA-512 by default for crypt(3) hash. Only meaningful when crypt is set to "Y". blowfish (false) Use Blowfish by default for crypt(3) hash. Only meaningful when crypt is set to "Y". use_323_passwd (false) Use MySQL version 3 style encryption function if available and the crypt option is set to "mysql". This is useful if you have a table migrated from the old MySQL database and it stores the old-style passwords. This option appeared since 0.7pre2 and 0.6.1. Note that the code for this to work has been dropped from client libraries for mysql 5.x (or so) onwards, so a workaround has been patched in to pam-mysql. If at all possible you should upgrade your password encryption method instead and not rely on this feature. where Additional criteria for the query. For example: [where=Host.name="web" AND User.active=1] sqllog (false) If set to either "true" or "yes", SQL logging is enabled. logtable The name of the table to which logs are written. logmsgcolumn The name of the column in the log table to which the description of the performed operation is stored. logusercolumn The name of the column in the log table to which the name of the user being authenticated is stored. logpidcolumn The name of the column in the log table to which the pid of the process utilising the pam_mysql's authentication service is stored. loghostcolumn The name of the column in the log table to which the IP address of the machine performing the operation is stored. logrhostcolumn The name of the column in the log table to which the name of the remote host that initiates the session is stored. The value is supposed to be set by the PAM-aware application with pam_set_item(PAM_RHOST). Available since 0.7pre3. logtimecolumn The name of the column in the log table to which the timestamp of the log entry is stored. config_file Path to a NSS-MySQL style configuration file which enumerates the options per line. Acceptable option names and the counterparts in the PAM-MySQL are listed below: - users.host (host) - users.database (db) - users.db_user (user) - users.db_passwd (passwd) - users.table (table) - users.update_table (update_table) - users.user_column (usercolumn) - users.password_column (passwdcolumn) - users.status_column (statcolumn) - users.password_crypt (crypt) - users.use_323_password (use_323_passwd) - users.use_md5 (md5) - users.where_clause (where) - users.disconnect_every_operation (disconnect_every_op) *1 - verbose (verbose) - log.enabled (sqllog) - log.table (logtable) - log.message_column (logmsgcolumn) - log.pid_column (logpidcolumn) - log.user_column (logusercolumn) - log.host_column (loghostcolumn) - log.rhost_column (logrhostcolumn) *2 - log.time_column (logtimecolumn) A "#" in front of the line makes it a comment as in NSS-MySQL. This is available since 0.7pre1. (*1: added in 0.7RC1) (*2: added in 0.7pre3) use_first_pass (false) If true, pam_mysql doesn't prompt a password and uses the one provided given in a preceeding authentication module. If it is not given, authentication fails. This is available since 0.7pre2. try_first_pass (true) If true, pam_mysql first tries to authenticate with the password given in a preceeding authentication module. If it fails (because of either unavailableness of a password or simple authentication failure), then pam_mysql prompts a password for the following authentication. The semantics actually breaks the backwards compatibility, because authentication is not performed twice in the previous versions when the password given by the previous authentication module is wrong. This is available since 0.7pre2. disconnect_every_op (false) By default, pam_mysql keeps connection to the MySQL database until the session is closed. If this option is set to true it disconnects every time the PAM operation has finished. This option may be useful in case the session lasts quite long. BUGS ---- Beware that user names and clear text passwords may be syslogged if you explicitly configured PAM-MySQL to log select statements (verbose=1). (Not sure why you want to anyway, slows your system down badly!) Q&A --- Q. What on earth is PAM anyway? A. PAM is an acronym for Pluggable Authentication Modules. See http://www.kernel.org/pub/linux/libs/pam/whatispam.html for further information. Q. Are there any tools for changing passwords, etc. without updating tables directly through the command-line client program? A. You can use "passwd" program for that purpose. Note that pam-mysql doesn't permit password change without the root privilege (pid=0). Q. I need to retrieve misc. UNIX user information such as one's home directory stored in the account table. Can PAM-MySQL do this? A. No. As the name suggests, PAM is only involved in authentication that in principle has little to do with the account database itself. You need to use the nss-mysql module, which can be retrieved from here: http://savannah.nongnu.org/projects/nss-mysql Q. How can I quickly tell in which way a given password is encrypted, PASSWORD(), CRYPT()-ed, or md5()? A. Try using the following MySQL functions: ENCRYPT(), PASSWORD() and md5(), and compare the results with each other. SELECT ENCRYPT('mypass'), PASSWORD('mypass'), MD5('mypass'); Q. I set up saslauthd (of Cyrus-SASL) to use PAM-MySQL for authentication and noticed some authentication mechanisms such as CRAM-MD5 don't work. Why? A. CRAM-MD5 are DIGEST-MD5 are Challenge-Response authentication mechanisms (indeed CRAM is short for Challenge-Response Authentication Mechanism), plain-text passwords have to be supplied to the instance that handles authentication communication with the user (that is, the SASL client library), rather than the authenticator (the server). Therefore, it is not possible to use PAM with these mechanisms and then you need to configure Cyrus-SASL to have "SQL" auxprop plugin with MySQL support and specify "auxprop" for the preferred password checking method. For instance, if you want to use it in conjunction with Postfix, the SASL configuration file "smtpd.conf", which is put in the Cyrus-SASL's plugin directory (or the location included in the SASL_PATH environment variable), would look like the following: pwcheck_method: auxprop mech_list: plain login cram-md5 digest-md5 sql_engine: mysql sql_database: sys sql_user: someuser sql_passwd: fubar sql_select: SELECT password FROM users WHERE name='%u' and domain='%r'; Note that passwords should be stored in plain-text in this case. Q. PAM-MySQL is licensed under GNU Public License and I heard that GPL requires the program that links to a GPL'ed shared binary object at runtime also being covered by GPL. Is it safe to use PAM-MYSQL from a program with a license that is incompatible with GPL? A. Our thought regarding this issue is that runtime dynamic linking itself is not an action to make a derivative work of anything that ends up in the physicial memory. No matter what GPL is like, and will be like, we exceptionally grant you a permanent and non-exclusive right to use a binary-formed derivative of PAM-MySQL in combination with any other programs. Q. I could not build pam-mysql on Solaris with the official MySQL binary package. How can I fix this? A. You apparently got a binary package built with the Forte C compiler, which requires a different set of command-line options than the compiler (most likely GCC) you are now trying to build pam_mysql with. There are two options to deal with this problem: 1. Get the Forte C compiler and build pam-mysql with it. 2. Build MySQL from the source with the same compiler as the one that should be used to build pam-mysql. LINKS ----- - MySQL http://www.mysql.com/ - NSS-MySQL: http://savannah.nongnu.org/projects/nss-mysql - OpenPAM http://www.openpam.org/ - PAM http://pam.sourceforge.net/ - sysauth-pgsql (the PostgreSQL counterpart of PAM-MySQL, accompanied by the nss module also) http://sourceforge.net/projects/sysauth-pgsql - Cyrus-SASL http://asg.web.cmu.edu/sasl/sasl-library.html - Sendmail-SQL: http://www.sourceforge.net/projects/sendmail-sql
pam-mysql's People
Contributors
Stargazers
Watchers
Forkers
theatlantic duilio nickramser bdraco jladbrook troex abathur abitduck victor73 sean-cc nuxwin sundowndk stewjohn wferi hannob thanatosdi mireiawen alexis- panlinux schiffelit iamapen flippy84 anmolnar rejsmont andriesh tstrohmeier ubogdan dragonsk dragonforeverliu hwcj pwfoo marvelig looism dsoultanis edwinvanegmond tsirolnik yakobovlior seenae thhaupt pmquan click-mis sjinks karawitan spike77453 maltris kyrian666 sstubbs gurvinderdadyala mxlucky kadlec-g ishoe tahder lukavia welterrocks vcdog songxx1989 metaverse-systems trasherdk fxtxkktvpam-mysql's Issues
pam_sm_authenticate() returning 3. the return :(
Hello ! Here I am again :( I had to install a vSTFPD server with pam-mysq, but this time on debian. I had a bit of trouble, with several errors, but I got there.
Except that here, I checked the connection, as well as the MySQL identifier (maybe not as it should be), and all the information entered in the pam_mysql configuration, allows me to connect with PMA or even in command line.
But there, pam_sm_authenticate returns the number 3. I dont know why, i search, but i dont find.
My config:
#%PAM-1.0
auth sufficient pam_mysql.so verbose=1 user=datahosting passwd=secret_password host=localhost db=dh table=ftpusers usercolumn=username passwdcolumn=password crypt=sha256
account sufficient pam_mysql.so verbose=1 user=datahosting passwd=secret_password host=localhost db=dh table=ftpusers usercolumn=username passwdcolumn=password crypt=sha256
auth sufficient pam_unix.so try_first_pass nullok
account sufficient pam_unix.so
session required pam_loginuid.so
My log (from auth.log):
Sep 5 15:46:30 datahosting vsftpd: pam_mysql - option verbose is set to "1"
Sep 5 15:46:30 datahosting vsftpd: pam_mysql - option user is set to "datahosting"
Sep 5 15:46:30 datahosting vsftpd: pam_mysql - option passwd is set to "secret_password "
Sep 5 15:46:30 datahosting vsftpd: pam_mysql - option host is set to "localhost"
Sep 5 15:46:30 datahosting vsftpd: pam_mysql - option db is set to "dh"
Sep 5 15:46:30 datahosting vsftpd: pam_mysql - option table is set to "ftpusers"
Sep 5 15:46:30 datahosting vsftpd: pam_mysql - option usercolumn is set to "username"
Sep 5 15:46:30 datahosting vsftpd: pam_mysql - option passwdcolumn is set to "password"
Sep 5 15:46:30 datahosting vsftpd: pam_mysql - pam_sm_authenticate() returning 3.
Sep 5 15:46:30 datahosting vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Sep 5 15:46:30 datahosting vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=datahosting_minecraft rhost=90.30.212.74
Sep 5 15:46:32 datahosting sshd[526]: Connection closed by 71.6.232.6 port 55904 [preauth]
Sep 5 15:46:32 datahosting vsftpd: pam_mysql - pam_mysql_release_ctx() called.
Sep 5 15:46:32 datahosting vsftpd: pam_mysql - pam_mysql_destroy_ctx() called.
Sep 5 15:46:32 datahosting vsftpd: pam_mysql - pam_mysql_close_db() called.
My database structure:
I see "check pass; user unknown" in the log, but in my database, user exist. Where does the problem come from? Thank for help me!
Edit:
After enable all mysqllog, i see when I connect from my phpmyadmin, the log file has fill by log of connection, but when a try to connect on ftp (with valid user and password) no log appears, idk if this will help you with my worries
And i try edit pam_mysql.c for add syslog, but that doest work :( Idk how to update this file for more log :/
Edit 2: if i reinstall with make and make isntall, and not remove and reinstall libpam-mysql i get this error:
rted vsftpd FTP server.
Sep 06 11:17:17 datahosting vsftpd[29964]: PAM unable to dlopen(pam_mysql.so): /lib/security/pam_mysql.so: undefined symbol: compat_make_scrambled_password_323
Sep 06 11:17:17 datahosting vsftpd[29964]: PAM adding faulty module: pam_mysql.so
implicit declaration of function 'my_make_scrambled_password'
After configuring the library and trying to make it, from the start it fails with the following:
pam_mysql.c: In function ‘pam_mysql_check_passwd’:
pam_mysql.c:2896:15: warning: implicit declaration of function ‘my_make_scrambled_password’ [-Wimplicit-function-declaration]
my_make_scrambled_password(buf, passwd, strlen(passwd));
^
mv -f .deps/pam_mysql_la-pam_mysql.Tpo .deps/pam_mysql_la-pam_mysql.Plo
/bin/bash ./libtool --tag=CC --mode=link gcc -g -O2 -I/usr/include/mysql -fabi-version=2 -fno-omit-frame-pointer -module -avoid-version -o pam_mysql.la -rpath /lib/security pam_mysql_la-pam_mysql.lo -lcrypto -lpam -lcrypt -L/usr/lib/x86_64-linux-gnu -lmysqlclient -lpthread -lz -lm -lrt -ldl
libtool: link: gcc -shared -fPIC -DPIC .libs/pam_mysql_la-pam_mysql.o -lcrypto -lpam -lcrypt -L/usr/lib/x86_64-linux-gnu -lmysqlclient -lpthread -lz -lm -lrt -ldl -g -O2 -Wl,-soname -Wl,pam_mysql.so -o .libs/pam_mysql.so
libtool: link: ( cd ".libs" && rm -f "pam_mysql.la" && ln -s "../pam_mysql.la" "pam_mysql.la" )
Running Ubuntu 16.04 with MySQL 5.7
autoreconf -f -i exits with code 1 "error: possibly undefined macro"
autoreconf -f -i on Alpine 3.11 leads to:
/pam-MySQL # autoreconf -f -i
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: copying file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
configure.ac:26: error: possibly undefined macro: AC_MSG_ERROR
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:43: error: possibly undefined macro: AS_IF
autoreconf: /usr/bin/autoconf failed with exit status: 1
Where a run with autoreconf -i works fine:
/pam-MySQL # autoreconf -i
configure.ac:13: installing 'build-aux/compile'
configure.ac:13: installing 'build-aux/config.guess'
configure.ac:13: installing 'build-aux/config.sub'
configure.ac:6: installing 'build-aux/install-sh'
configure.ac:6: installing 'build-aux/missing'
Makefile.am: installing './INSTALL'
Makefile.am: installing 'build-aux/depcomp'
Should the INSTALL instruction be updated?
something went wrong when invoking crypt() - No such file or directory
Hi Nigel,
I'm having an error when using pam-MySQL.
When I run the following command: sudo testsaslauthd -u 'the_username' -p 'the_password' -s smtp, I get the follwing error printed to /var/log/auth.log: saslauthd[21550]: pam_mysql - something went wrong when invoking crypt() - No such file or directory. The result of testsaslauthd is 0: OK "Success." though.
Any idea on how to get rid of this error?
Cheers,
Christophe
Please release
Hi,
(Moving this out of the closed pull request to gain more visibility.)
Have you got any plans about making a release? It would be nice if you met the Debian stretch freeze: we could then ship a proper release in stretch instead of some Git snapshot.
Probably there are some outstanding issues which would be worth fixing, but having an official 0.8 would make it easier to see what's left to do and at the same time gain some extra exposure and testing.
So if there aren't any serious show-stopper bugs in the current code, I ask you to release it as soon as possible, then refine it in further releases. If you don't feel like making a release, please tell, and also whether you object against me packaging some Git snapshot instead for Debian.
Regards,
Feri.
size read failed - SASLAUTHD with PAM_MYSQL Fedora 37
Hi,
I am using Fedora long time and installed maybe 10mail servers with PAM_MYSQL authentication over SASLauthd
I wanted to make new server on new Fedora 37, same as before. But without success of usage SASL with PAM_mysql
Users are crypted in DB via postfixadmin in MD5CRYPT and password encrypted in MD5RAW as default setting
Dovecot which is not using PAM_mysql is working only PAM_mysql
in SASL with PAM_MYSQL - everytime when user exists, it writes me "size read failed" and SASL deactivate it
There is visible in Journalctl that problem looks be in PAM_MYSQL
error_journal.txt
Centos 7: Unknown method "substring" for a string
With Centos 7 and Mariadb, this is the full log in /home/centos/pam-MySQL-build/meson-logs/meson-log.txt
=========================================================
Build started at 2024-01-15T21:36:01.111737
Main binary: /usr/bin/python3
Build Options:
Python system: Linux
The Meson build system
Version: 0.55.1
Source dir: /home/centos/pam-MySQL-master
Build dir: /home/centos/pam-MySQL-build
Build type: native build
None of 'PKG_CONFIG_PATH' are defined in the environment, not changing global flags.
None of 'PKG_CONFIG_PATH' are defined in the environment, not changing global flags.
Project name: pam-mySQL
Project version: 0.9-alpha1
None of 'CC' are defined in the environment, not changing global flags.
None of 'CFLAGS' are defined in the environment, not changing global flags.
None of 'LDFLAGS' are defined in the environment, not changing global flags.
None of 'CPPFLAGS' are defined in the environment, not changing global flags.
None of 'CC_LD' are defined in the environment, not changing global flags.
Sanity testing C compiler: cc
Is cross compiler: False.
None of 'CC_LD' are defined in the environment, not changing global flags.
Sanity check compiler command line: cc /home/centos/pam-MySQL-build/meson-private/sanitycheckc.c -o /home/centos/pam-MySQL-build/meson-private/sanitycheckc.exe -pipe -D_FILE_OFFSET_BITS=64
Sanity check compile stdout:
Sanity check compile stderr:
Running test binary command: /home/centos/pam-MySQL-build/meson-private/sanitycheckc.exe
C compiler for the build machine: cc (gcc 4.8.5 "cc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44)")
C linker for the build machine: cc ld.bfd 2.27-44
None of 'AR' are defined in the environment, not changing global flags.
None of 'CC' are defined in the environment, not changing global flags.
None of 'CFLAGS' are defined in the environment, not changing global flags.
None of 'LDFLAGS' are defined in the environment, not changing global flags.
None of 'CPPFLAGS' are defined in the environment, not changing global flags.
None of 'CC_LD' are defined in the environment, not changing global flags.
Sanity testing C compiler: cc
Is cross compiler: False.
None of 'CC_LD' are defined in the environment, not changing global flags.
Sanity check compiler command line: cc /home/centos/pam-MySQL-build/meson-private/sanitycheckc.c -o /home/centos/pam-MySQL-build/meson-private/sanitycheckc.exe -pipe -D_FILE_OFFSET_BITS=64
Sanity check compile stdout:
Sanity check compile stderr:
Running test binary command: /home/centos/pam-MySQL-build/meson-private/sanitycheckc.exe
C compiler for the host machine: cc (gcc 4.8.5 "cc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44)")
C linker for the host machine: cc ld.bfd 2.27-44
None of 'AR' are defined in the environment, not changing global flags.
Build machine cpu family: x86_64
Build machine cpu: x86_64
Host machine cpu family: x86_64
Host machine cpu: x86_64
Target machine cpu family: x86_64
Target machine cpu: x86_64
Program mysql_config found: YES
Running command: /bin/mysql_config --include
--- stdout ---
-I/usr/include/mysql -I/usr/include/mysql/mysql
--- stderr ---
meson.build:29:2: ERROR: Unknown method "substring" for a string.
I got "malloc(): invalid size (unsorted)" when using "crypt=1"
Hey
Thanks for refactoring pam-MYySQL module.
When I use the new beta1 version, I got this error.
'$1$GcEzthuz$H9PYgAACHdtkxtTSHsYwT0' v '$1$GcEzthuz$H9PYgAACHdtkxtTSHsYwT0' (<= 'sldkjfsdf'). Error = 0.
malloc(): invalid size (unsorted)
The issue does not exist in version 0.8.2
My pam configuration is like this:
auth required pam_mysql.so user={{ .Values.mysql.user }} passwd={{ .Values.mysql.password }} host={{ .Values.mysql.host }} db={{ .Values.mysql.dbname }} table=users usercolumn=userid passwdcolumn=passwd crypt=1
account sufficient pam_mysql.so user={{ .Values.mysql.user }} passwd={{ .Values.mysql.password }} host={{ .Values.mysql.host }} db={{ .Values.mysql.dbname }} table=users usercolumn=userid passwdcolumn=passwd crypt=1
The password format I'm using is: (generated with openssl passwd -1)
$1$GcEzthuz$H9PYgAACHdtkxtTSHsYwT0
Wrong SHA1 hash
Hi,
I've tried your module but it looks like its calculating the the hash wrong. I've generated an SHA1 hash from the string "test" which is: a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
Now i've added an extra log output on line 2928 in pam_mysql.c:
syslog(LOG_AUTHPRIV | LOG_ERR, buf);
Which generates the following output when trying to login with the password "test":
Dec 30 22:15:47 host sshd[26898]: 14b9961cd982a22949737f143325c0370ab90dd9
Which is wrong...
Configurable Password Query
We're configuring a mail server for which we use pam_mysql to consult the mailbox database managed by postfixadmin to authenticate e-mails. Postfixadmin's encrypted passwords contain a small header that denotes the encryption algorithm within the text of the hash itself. When this header is present, pam_mysql fails to authenticate the password, but when it isn't, authentication succeeds. Postfixadmin checks for this header when logging in, so the easiest way to solve this issue is to specify the SQL query that pam_mysql uses in a way that omits this header. As far as I can tell from the available configuration directives, this is not an option, though the "where" option is similar. Is this a reasonable feature to add?
Invalid argument with crypt
When using the crypt function I'm getting the following error:
pam_mysql - something went wrong when invoking crypt() - Invalid argument
pam_mysql - pam_mysql_check_passwd() returning 6.
This is the pam.d/sshd config that is being used:
auth optional pam_mysql.so user=xxxx passwd=xxxx db=xxxx table=users usercolumn=users.user passwdcolumn=users.password crypt=1 blowfish=true verbose=1
account required pam_mysql.so user=xxxx passwd=xxxx db=xxxx table=users usercolumn=users.user passwdcolumn=users.password crypt=1 blowfish=true verbose=1
pam-mysql version v0.8.1-30-g4f76d51
crypt() - Invalid argument when crypted PW contains "
Hi,
with recent versions (0.8.0 on Ubuntu and current git master), I came across an issue with crypt. It looks like this:
saslauthd[1328]: pam_mysql - option verbose is set to "1"
saslauthd[1328]: pam_mysql - pam_mysql_close_db() called.
saslauthd[1328]: pam_mysql - pam_sm_authenticate() called.
saslauthd[1328]: pam_mysql - pam_mysql_open_db() called.
saslauthd[1328]: pam_mysql - pam_mysql_open_db() returning 0.
saslauthd[1328]: pam_mysql - pam_mysql_check_passwd() called.
saslauthd[1328]: pam_mysql - pam_mysql_format_string() called
saslauthd[1328]: pam_mysql - pam_mysql_quick_escape() called.
saslauthd[1328]: pam_mysql - SELECT password FROM account WHERE login = 'myuser'
saslauthd[1328]: pam_mysql - pam_mysql_check_passwd() returning 6.
saslauthd[1328]: pam_mysql - pam_mysql_sql_log() called.
saslauthd[1328]: pam_mysql - pam_mysql_sql_log() returning 0.
saslauthd[1328]: pam_mysql - pam_mysql_converse() called.
saslauthd[1328]: pam_mysql - pam_mysql_open_db() called.
saslauthd[1328]: pam_mysql - pam_mysql_check_passwd() called.
saslauthd[1328]: pam_mysql - pam_mysql_format_string() called
saslauthd[1328]: pam_mysql - pam_mysql_quick_escape() called.
saslauthd[1328]: pam_mysql - SELECT password FROM account WHERE login = 'myuser'
saslauthd[1328]: pam_mysql - something went wrong when invoking crypt() - Invalid argument
saslauthd[1328]: pam_mysql - pam_mysql_check_passwd() returning 6.
saslauthd[1328]: pam_mysql - pam_mysql_sql_log() called.
saslauthd[1328]: pam_mysql - pam_mysql_sql_log() returning 0.
saslauthd[1328]: pam_mysql - pam_sm_authenticate() returning 7.
saslauthd[1328]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
saslauthd[1328]: pam_mysql - pam_mysql_release_ctx() called.
saslauthd[1328]: pam_mysql - pam_mysql_destroy_ctx() called.
saslauthd[1328]: pam_mysql - pam_mysql_close_db() called.
/etc/pam.d/smtp:
auth sufficient /lib/x86_64-linux-gnu/security/pam_mysql.so host=mysqlhost user=postfix passwd=mypass db=mydb table=account usercolumn=login passwdcolumn=password crypt=1 verbose=1
account required /lib/x86_64-linux-gnu/security/pam_mysql.so host=mysqlhost user=postfix passwd=mypass db=mydb table=account usercolumn=login passwdcolumn=password crypt=1 verbose=1
We are migrating to newly setup SMTP servers (with newer OSes) and are currently testing. My coworkers were able to authenticate, I wasn't.
Then I noticed something: my crypted password in the DB contained a " character. I re-set the same password in our frontend, so that a different crypt string (without ") was being written to the database, and I was able to authenticate again.
So I guess that crypt() doesn't like row[0] being a string containing " here:
Lines 3741 to 3745 in 4f76d51
On our old SMTP servers, this issue never occured, so something somewhere (pam_mysql, PAM itself, libc or wherever crypt sits in) has changed at some point, introducing this bug. It's probably not even something you can fix, but you have a better insight and maybe other affected people see this issue.
undefined symbol: MD5
I've the following issue using the drupal7 pam-mysql module (dovecot consumer):
auth worker: PASSV: PAM unable to dlopen(pam_mysql.so): /lib/security/pam_mysql.so: undefined symbol: MD5
It could be related to the squeeze -> wheezy upgrade.
Using
libssl0.9.8 (0.9.8o-4squeeze14)
libssl1.0.0:amd64 (1.0.1e-2)
openssl (1.0.1e-2)
libc6 (2.13-38)
./configure; make
# nm .libs/pam_mysql.so |grep MD5 U MD5
Generated spec file includes Copyright field, but no License field
After running, configure, and attempting to run rpmbuild per the INSTALL file, the rpmbuild command fails with a
error: line 5: Unknown tag: Copyright: Freely Distributable
removing that line then causes
error: License field must be present in package: (main package)
As a workaround, simply adding a License field at the top of the spec file corrects the issue
Email address as username.
I don't even know for sure this is the right place to do it, but I've looked through the various docs and I cannot seem to find any useful pointers.
I grow tired of having to reconfigure a certain software vendor's products that seem to think by default usernames should no longer exist, and they are making it increasingly hard to do so. So I am wondering if pam_mysql could be made to cope with user@domain format of usernames. A quick and dirty test shows that a straight swap in the username column doesn't work, and I guess that is because it's stripped off by saslauthd which is also in my auth chain where it matters.
So I'm raising this as an issue to see if we can do it here, and failing that, as a point of reference for other poor unfortunates in future who are trying to answer the same type of question.
Having said that I noticed theres a saslauthd option thusly, which I thought may help:
-r | Combine the realm with the login (with an ’@’ sign in between). e.g. login: "foo" realm: "bar" will get passed as login: "foo@bar". Note that the realm will still be passed, which may lead to unexpected behavior.
But while the logs (for both pam-mysql and mysql itself with query logging enabled) suggest it does pass through user@password format of username it won't authenticate even then. However putting pam_mysql into verbose mode does suggest that it is querying mysql for the user@domain format of username, and in a way that works when run manually at the mysql CLI, so I guess something in the return path isn't working. Or that pam does support realms/domains, and it's just not clear how and where it is configured and written into module code.
However, even if the email address format works, that would break the username-only format of login unless extra code were added to allow for a column with email address as well as the username column that already exists, because you wouldn't want to have just one or the other to avoid users having to reconfigure because you still end up with the same problem. So I guess either way a little bit of extra code will be needed in pam-MySQL.
Is PAM-MySQL friendly to MariaDB
Is PAM-MySQL friendly to MariaDB
about the where option string enclosure
the README its the only reference, but for a where clause there's no point of must be around a " or as is:
- where=status=1 ?
- where=[status=1] ?
- where="status=1" ?
pam_mysql_check_passwd() returning 6
hi there,
i used the default libpam-mysql and this manual install libpam-mysql, but im always getting this on /var/log/auth.log
i have inserted "testuser" on the database, i also properly entered the details on /etc/libpam-mysql.conf
i tried crypt=0 and crypt=3 (md5) still same, and i think the main problem is its telling that the username is invalid even its on the database..
May 10 18:47:10 debian sshd[3737]: Invalid user testuser from 10.0.2.2 port 22693
May 10 18:47:14 debian sshd[3737]: pam_mysql - option verbose is set to "1"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.enabled is set to "false"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.table is set to "log"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.message_column is set to "message"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.pid_column is set to "pid"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.user_column is set to "user"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.host_column is set to "host"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.rhost_column is set to "rhost"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.time_column is set to "time"
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_sm_authenticate() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_open_db() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_open_db() returning 0.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_check_passwd() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_format_string() called
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_quick_escape() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - SELECT password FROM users WHERE username = 'testuser'
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_check_passwd() returning 6.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_sql_log() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_sql_log() returning 0.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_converse() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_open_db() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_check_passwd() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_format_string() called
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_quick_escape() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - SELECT password FROM users WHERE username = 'testuser'
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_check_passwd() returning 6.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_sql_log() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_sql_log() returning 0.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_sm_authenticate() returning 7.
May 10 18:47:14 debian sshd[3737]: pam_unix(sshd:auth): check pass; user unknown
May 10 18:47:14 debian sshd[3737]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2
May 10 18:47:16 debian sshd[3737]: Failed password for invalid user testuser from 10.0.2.2 port 22693 ssh2
on the ssh facing terminal, the prompt is: Permission denied, please try again.
i can only login using root...
about incompatible with mysql 5.7
I tried to connect to mysql 5.6 and 5.7 with pam-mysql, but always failed on mysql 5.7.
After installed mysql 5.6 and 5.7 in same os environment and connected with testsaslauthd separately, and got '0: OK "Success.' on mysql 5.6, but got 'size read failed' on mysql 5.7.
How can I make pam-mysql compatible with mysql 5.7?
NGINX empty response with pam-mysql
Hey,
I've recently compiled the module with the instructions.
It seems to work because the authentication prompt is working and indeed if I insert an undefined user it won't work, but when I do insert a valid user it fails instead of giving me the regular NGINX welcome page.
Any ideas what can cause this behavior?
Thanks,
Lior
install_dir is hard coded to '/lib/security'
It seems that install_dir is hard coded to /lib/security: https://github.com/NigelCunningham/pam-MySQL/blob/master/meson.build#L270
This is a problem on Fedora (and by extension also on RHEL/CentOS etc.) since the correct directory is platform dependent (e.g. /lib/security on 32bit platforms and /lib64/security on 64bit platforms, see: https://docs.fedoraproject.org/en-US/packaging-guidelines/RPMMacros/, technically /usr/lib/security and /usr/lib64/security since https://fedoraproject.org/wiki/Features/UsrMove)
I couldn't find any (reasonably easy) way to set install_dir during build time, but this might be me knowing little to nothing about meson. It'd be nice if this could be configurable so it can be set to %{_libdir}
There's also https://github.com/NigelCunningham/pam-MySQL/blob/master/install.sh which tries to address this. But that of course doesn't work in an rpm build environment:
+ /usr/bin/meson install -C x86_64-redhat-linux-gnu --no-rebuild
Installing libpam_mysql.so to /builddir/build/BUILDROOT/pam_mysql-1.0.0~beta1-1.fc34.x86_64/lib/security
Running custom install script '/builddir/build/BUILD/pam-MySQL-1.0.0-beta1/install.sh'
--- stdout ---
--- stderr ---
mv: cannot stat '/lib/security/libpam_mysql.so': No such file or directory
strip: '/lib/security/pam_mysql.so': No such file
FAILED: install script '/builddir/build/BUILD/pam-MySQL-1.0.0-beta1/install.sh' exit code 1, stopped
The current expansion of the %meson macro on Fedora 34 looks something like this:
/usr/bin/meson --buildtype=plain --prefix=/usr --libdir=/usr/lib64 --libexecdir=/usr/libexec --bindir=/usr/bin --sbindir=/usr/sbin --includedir=/usr/include --datadir=/usr/share --mandir=/usr/share/man --infodir=/usr/share/info --localedir=/usr/share/locale --sysconfdir=/etc --localstatedir=/var --sharedstatedir=/var/lib --wrap-mode=nodownload --auto-features=enabled . x86_64-redhat-linux-gnu
So the right directory to use is probably libdir: https://mesonbuild.com/Builtin-options.html
undefined symbol: SHA1xxx
Hi,
While trying to replace the original mysql pam with this I ended up in a dead end.
If I configure with:
./configure --with-pam-mods-dir=/lib/security --with-openssl=no
I get:
PAM unable to dlopen(pam_mysql.so): /lib/security/pam_mysql.so: undefined symbol: SHA1Final
If I configure with:
./configure --with-pam-mods-dir=/lib/security --with-openssl=yes
I get:
PAM unable to dlopen(pam_mysql.so): /lib/security/pam_mysql.so: undefined symbol: SHA1Init
I don't even want to use SHA1. But it doesn't seem to help with "crypt=plain" in the pam config
Doing this on Ubuntu 16.04 with the standard packages for mysql and everything.
Please tell me if I can help with providing more information. I just want it to work as soon as possible :)
Regression testing would be a good idea.
So, there was a regression in the build process. People noticed. But more people probably noticed the issue that was present before the patch that fixed that and inadvertently caused the regression. shrug.
I have some testing stuff that can help, which I can probably cut & paste into something specific to pam-mysql, but it's designed to test whole servers, so it's using vagrant+virtualbox+ansible+serverspec and that might be a bit much?
@wferi indicates he's got something that proved when the relevant function call dropped out of exports, @NigelCunningham probably has some stuff.
I'd be happy to help, but I guess we need to take stock of what we do have, what the relevant standards are, and so on before trying to implement something.
Thoughts anyone?
PS. Obviously doff our hats to @slimlv to noticing and providing a patch for the build process.
supressing log messages
Is there a way to suppress log messages such that all I get in auth.log are fail and success events?
Specifically I would like to get rid of theses:
Oct 9 17:41:03 celaeno saslauthd[53501]: pam_mysql - SELECT returned no result.
Oct 9 17:41:03 celaeno saslauthd[53501]: pam_mysql - SELECT returned no result.
Oct 9 17:41:03 celaeno saslauthd[53501]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
but keep these:
Oct 9 17:41:03 celaeno saslauthd[53501]: : auth failure: [user=lia.b] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Default value for md5 config is wrong
When setting crypt to 1 in the config and commenting out the md5 option it still uses md5 for hashing even if the default is supposed to be disabled.
Probable fix would be to set ctx->md5 to 0 instead of -1 in pam_mysql_init_ctx.
Support for sha2 (sha256 / sha512 hashes)
Hi,
Is it possible to support sha2 ? (sha256 / sha512 hashes)
We are using hashes that are usually generated by the openssl library, an example of generating such a digest:
std::string password = "somepassword";
// generate a SHA512 hash using the openssl library
char buf[SHA512_DIGEST_LENGTH];
SHA512_CTX ctx;
if (!SHA512_Init(&ctx)) {
std::cerr << "failed to initialize." << std::endl;
}
if (!SHA512_Update(&ctx, password.c_str(), password.length())) {
std::cerr << "failed to update sha context." << std::endl;
}
if (!SHA512_Final((unsigned char *)buf, &ctx)) {
std::cerr << "failed to get the hash." << std::endl;
}It's not a complete example, but it gives an head start hopefully.
Regards, Matthijs
Time to roll v0.8.2?
It seems most distros will only send out new versions once an official release is made.
Currently, from my testing of pam_mysql now - 0.8.1 only seems to support md5(?) via crypt. From the commit history, I believe using crypt will now also do up to sha512.
It would be good to release this (if working) as v0.8.2 so this improvement can be put out in the distros.
Dont erro log, and dont login with pam-mysql
Hello, sorry to disturb you for something that may be stupid.
But there, I made a vsftpd server, with an old version of pam, I just updated on yours, and it does not work anymore. So I activated the verbose option, to have more log but here is what it gives me (in /var/log/secure, i dont find /var/log/auth*):
Apr 8 23:46:54 datahosting vsftpd[9528]: pam_unix(vsftpd:auth): check pass; user unknown
Apr 8 23:46:54 datahosting vsftpd[9528]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=datahosting_minecraft rhost=my_private_host
Here is my configuration pam:
#%PAM-1.0
auth sufficient /usr/lib64/security/pam_mysql.so user=datahosting passwd=my_secret_password host=localhost db=datahosting table=ftp_accounts usercolumn=username passwdcolumn=pass crypt=9 verbose=1
account sufficient /usr/lib64/security/pam_mysql.so user=datahosting passwd=my_secret_password host=localhost db=datahosting table=ftp_accounts usercolumn=username passwdcolumn=pass crypt=9 verbose=1
auth sufficient pam_unix.so try_first_pass nullok
account sufficient pam_unix.so
session required pam_loginuid.so
I may not be looking for the right logs.
Is the log file in /var/log ?
I am sincerely sorry to disturb you for this banal thing, which surely comes from me. But it's annoying that my vsftpd server is no longer working, so I would like to resolve this problem.
I am running on Centos 8.
Thank for your reply.
./configure: line 13867: syntax error near unexpected token `openssl,libcrypto,'
root@netmoon:/home/netmoon/pam-MySQL# ./configure --with-openssl
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking how to print strings... printf
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking for a sed that does not truncate output... /bin/sed
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /usr/bin/x86_64-linux-gnu-ld
checking if the linker (/usr/bin/x86_64-linux-gnu-ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/x86_64-linux-gnu-ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @file support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /bin/dd
checking how to truncate binary pipes... /bin/dd bs=4096 count=1
checking for mt... mt
checking if mt is a manifest tool... no
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/x86_64-linux-gnu-ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ISO C89... (cached) none needed
checking whether gcc understands -c and -o together... (cached) yes
checking dependency style of gcc... (cached) gcc3
checking size of short... 2
checking size of int... 4
checking size of long... 8
checking size of long long... 8
checking size of mode_t... 4
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking for string.h... (cached) yes
checking for strings.h... (cached) yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking for sys/types.h... (cached) yes
checking for sys/stat.h... (cached) yes
checking sys/param.h usability... yes
checking sys/param.h presence... yes
checking for sys/param.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking for unistd.h... (cached) yes
checking stdarg.h usability... yes
checking stdarg.h presence... yes
checking for stdarg.h... yes
checking errno.h usability... yes
checking errno.h presence... yes
checking for errno.h... yes
checking crypt.h usability... yes
checking crypt.h presence... yes
checking for crypt.h... yes
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking for size_t... yes
checking whether ELOOP is declared... yes
checking whether EOVERFLOW is declared... yes
checking for library containing socket... none required
checking for getaddrinfo... yes
checking for crypt in -lcrypt... yes
checking PF_INET6 availability... yes
checking for struct sockaddr_in6... yes
checking for struct in6_addr... yes
checking for gethostbyname_r... yes
checking if gethostbyname_r() is part of glibc... yes
checking if /usr /usr/local /usr/mysql /opt/mysql is a mysql_config script... no
checking mysql_config availability in /usr/bin... yes
checking for mysql_real_query... yes
checking for mysql_real_escape_string... yes
checking for make_scrambled_password_323... no
./configure: line 13867: syntax error near unexpected token openssl,libcrypto,' ./configure: line 13867: PKG_CHECK_MODULES(openssl,libcrypto,'
Skip first pass in sasl-pam-mysql authentication
I have configured saslauthd + pam + mysql on my machine (debian
testing, also tried on Ubuntu 22) to authenticate against a mysql DB.
Whenever I try authentication with credentials (e.g., with
testsaslauthd calling libpam) the Pam module does not immediately
query the mysql database, but tries the first pass, i.e., if it finds
a previous authentication that matches with the password entered, it
responds successfully (thus skipping querying the db).
But if I change the password on the DB, each login attempt with the
old password is still successful until the first login with the new
password occurs.
This looks like the behaviour described by the parameter try_first_pass,
but I didn't define it in my PAM configuration.
I would like to be able to change passwords on the mysql DB and have
the old password stop working from then on, without necessarily having
to restart saslauthd (which resets the value of the first pass) or try
the new password.
How can I prevent the first pass from being attempted?
NB: I have asked this also here
- https://unix.stackexchange.com/questions/738619/skip-first-pass-in-sasl-pam-mysql-authentication
- linux-pam/linux-pam#545 (comment)
linux-pam guys redirected me to developers of the mysql PAM module
POST SCRIPTUM:
-
Versions of pam modules:
Debian testing Ubuntu 22 libpam-mysql:amd64 0.8.2-2 0.8.1-5build1 libpam0g:amd64 1.5.2-6 1.4.0-11ubuntu2.3 -
PAM configurations:
**Click here to see configurations**
I have configured in
pam.d/an smtp configuration module like this:$ cat /etc/pam.d/smtp auth required pam_nologin.so auth sufficient pam_mysql.so config_file=/etc/mail-pam-mysql.conf account sufficient pam_mysql.so config_file=/etc/mail-pam-mysql.conf password required pam_deny.so
It uses
/etc/mail-pam-mysql.confwhich is:verbose = 1; users.host = dbhost; users.database = dbname; users.db_user = dbuser; users.db_passwd = MYDBPASSWORD; users.password_crypt = 1; users.table = accountuser; users.user_column = username; users.password_column = password; log.table = log; log.message_column = msg; log.pid_column = pid; log.user_column = user; log.host_column = host; log.time_column = time;
support ssl/tls connection?
Hi, Is it possible setup pam-mysql over ssl/tls connection, connect to mysql/mariadb server?
Thanks.
Crypt seems to fail
Is there any known bug in Debian 9? My password is 100% correct and works well from all other applications connected to this mysql instance. Roundcube, dovecot, z-push, nextcloud... but not with postfix and smtp auth.
libpam-mysql/stable,now 0.8.0-1 amd64 [installed]
PAM module interfacing with MySQL databases
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - option debug is set to "1"
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_close_db() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_sm_authenticate() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_open_db() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_open_db() returning 0.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_check_passwd() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_format_string() called
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_quick_escape() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - SELECT password FROM users WHERE username = '[email protected]'
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_check_passwd() returning 6.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_sql_log() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_sql_log() returning 0.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_converse() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_open_db() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_check_passwd() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_format_string() called
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_quick_escape() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - SELECT password FROM users WHERE username = '[email protected]'
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_check_passwd() returning 6.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_sql_log() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_sql_log() returning 0.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_sm_authenticate() returning 7.
Jul 28 21:53:22 myhost saslauthd[27369]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_release_ctx() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_destroy_ctx() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_close_db() called.
Jul 28 21:53:22 myhost saslauthd[27369]: : auth failure: [[email protected]] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
I cannot find documentation what pam_mysql_check_passwd() returning 6 or pam_sm_authenticate() returning 7 means. Debugging is on, but the passwords are not shown. So it is impossible to figure out what the root cause is.
pam_mysql is configured to use crypt=1. In Debian 7 it worked all well, but this was pam_mysql 0.7~RC1.
Blowfish and 2y series hashes
Hello
i'm using pam_mysql for authentication and bumped into couple of issues.
i can successfully use crypt 0 with logs in db (not recommended) but have issues with blowfish encrypted ones.
if i use crypt=1 blowfish=1, i end up with invalid token option and if i use crypt=1 alone, password returns 6. Neither of which give a good clue.
i've been using crypt function of php to create hashes with password default option. (please check https://github.com/panique/php-login-minimal/blob/master/classes/Registration.php for similar code).
The documentation online for this module seems to be sparse and digging through the code was not so much fruitful for me.
can anyone give me some leads on how to handle proper authentication (also the contents of file under pam.d for a proper authentication, atleast against nginx auth)
MySQL error (Plugin pvio_socket could not be loaded: not initialized)
Using MariaDB 10.2 with pam-MySQL results in the following error: MySQL error (Plugin pvio_socket could not be loaded: not initialized)
The verbose log looks like this (changed some values to protect the innocent):
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option verbose is set to "1"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option host is set to "localhost"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option db is set to "sysdb_postfix"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option user is set to "sysusr_postfix"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option passwd is set to "somepassword"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option table is set to "mailbox"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option usercolumn is set to "username"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option passwdcolumn is set to "password"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option crypt is set to "0"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option where is set to "active='1'"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_close_db() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_sm_authenticate() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_open_db() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_open_db() returning 0.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_check_passwd() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_format_string() called
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_quick_escape() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - SELECT password FROM mailbox WHERE username = '[email protected]' AND (active='1')
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_check_passwd() returning 6.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_sql_log() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_sql_log() returning 0.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_converse() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_open_db() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_check_passwd() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_format_string() called
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_quick_escape() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - SELECT password FROM mailbox WHERE username = '[email protected]' AND (active='1')
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_check_passwd() returning 0.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_sql_log() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_sql_log() returning 0.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_sm_authenticate() returning 0.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option verbose is set to "1"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option host is set to "localhost"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option db is set to "sysdb_postfix"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option user is set to "sysusr_postfix"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option passwd is set to "somepassword"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option table is set to "mailbox"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option usercolumn is set to "username"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option passwdcolumn is set to "password"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option crypt is set to "0"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option where is set to "active='1'"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_close_db() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_sm_acct_mgmt() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_open_db() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - MySQL error (Plugin pvio_socket could not be loaded: not initialized)
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_open_db() returning 5.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_sm_acct_mgmt() returning 9.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_release_ctx() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_destroy_ctx() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_close_db() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option verbose is set to "1"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option host is set to "localhost"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option db is set to "sysdb_postfix"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option user is set to "sysusr_postfix"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option passwd is set to "somepassword"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option table is set to "mailbox"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option usercolumn is set to "username"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option passwdcolumn is set to "password"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option crypt is set to "0"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option where is set to "active='1'"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_close_db() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_sm_authenticate() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_open_db() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_open_db() returning 0.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_check_passwd() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_format_string() called
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_quick_escape() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - SELECT password FROM mailbox WHERE username = '[email protected]' AND (active='1')
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_check_passwd() returning 6.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_sql_log() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_sql_log() returning 0.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_converse() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_open_db() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_check_passwd() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_format_string() called
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_quick_escape() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - SELECT password FROM mailbox WHERE username = '[email protected]' AND (active='1')
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_check_passwd() returning 0.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_sql_log() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_sql_log() returning 0.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_sm_authenticate() returning 0.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option verbose is set to "1"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option host is set to "localhost"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option db is set to "sysdb_postfix"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option user is set to "sysusr_postfix"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option passwd is set to "somepassword"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option table is set to "mailbox"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option usercolumn is set to "username"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option passwdcolumn is set to "password"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option crypt is set to "0"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option where is set to "active='1'"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_close_db() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_sm_acct_mgmt() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_open_db() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - MySQL error (Plugin pvio_socket could not be loaded: not initialized)
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_open_db() returning 5.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_sm_acct_mgmt() returning 9.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_release_ctx() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_destroy_ctx() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_close_db() called.
The error is similar to this one here:
Icinga/icinga-core#1598
pam-MySQL 1.0.0 built error for MySQL 8
I have new to meson and ninja build tool, there is errors complaining missing MYSQL type, MySQL8 (mysql-boost-8.0.15.tar.gz) built and MYSQL have been defined in /usr/local/mysql/include/mysql.h
Is that fine to comment libmariadb lines in meson.build?
#foreach dep: ['libmariadb']
deps += dependency(dep)
#endforeach
git clone https://github.com/NigelCunningham/pam-MySQL
export LIBRARY_PATH=/usr/local/mysql/include
meson ../pam-MySQL-build
cd ../pam-MySQL
/usr/local/bin/ninja
[1/92] Compiling C object libpam_mysql.so.p/src_session.c.o
FAILED: libpam_mysql.so.p/src_session.c.o
cc -Ilibpam_mysql.so.p -I. -I../pam-MySQL -I/usr/local/mysql/include -fdiagnostics-color=always -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -Wextra -std=c11 -g -DHAVE_CONFIG_H -fPIC -MD -MQ libpam_mysql.so.p/src_session.c.o -MF libpam_mysql.so.p/src_session.c.o.d -o libpam_mysql.so.p/src_session.c.o -c ../pam-MySQL/src/session.c
In file included from ../pam-MySQL/src/session.c:6:0:
../pam-MySQL/src/context.h:6:3: error: unknown type name MYSQL
MYSQL *mysql_hdl;
my_make_scrambled_password() is not part of the MySQL API
The my_make_scrambled_password() function is exported by the MySQL client libraries "to provide backwards compatibility with applications that for legacy reasons use undocumented symbols". It isn't declared in the client header files.
See https://bugs.mysql.com/bug.php?id=80974 and https://github.com/jedisct1/pure-ftpd/issues/37 for background. A reimplementation is available as well.
undefined symbol: make_scrambled_password
Any chance you know how to fix the "undefined symbol: make_scrambled_password" error with newer versions of mysql / mariadb that no longer export this?
https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/1574900?comments=all
You can see it no longer work in Ubuntu 16.04 any flavor in Virtualbox. If I knew how to fix it, I would. Please help? This module is too important to die. There is no replacement for it.
openvpn pam-mysql + google otp failure
centos 7
openvpn: OpenVPN 2.4.6
server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log 10
status-version 2
log /var/log/openvpn.log
verb 3
plugin /etc/openvpn/openvpn-plugin-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
reneg-sec 0
client:
client
dev tun0
proto tcp
remote 10.0.12.36 1194
resolv-retry infinite
persist-key
persist-tun
ca ca.crt
nobind
auth-user-pass
reneg-sec 0
auth-nocache
comp-lzo
verb 4
pam for openvpn:
auth required pam_mysql.so user=xxx passwd=xxxx host=localhost db=xxx table=openvpn usercolumn=username passwdcolumn=password where=active=1 crypt=sha1 use_first_pass debug
auth required pam_google_authenticator.so secret=/etc/openvpn/google-auth/${USER} user=root echo_verification_code debug forward_pass no_increment_hotp
account required pam_permit.so debug
on client I user password + google code, failure, logs:
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - option debug is set to ""
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_close_db() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_sm_authenticate() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_open_db() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_open_db() returning 0.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_check_passwd() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_format_string() called
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_quick_escape() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - SELECT password FROM openvpn WHERE username = 'admin' AND (active=1)
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_check_passwd() returning 6.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_sql_log() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_sql_log() returning 0.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_sm_authenticate() returning 7.
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: start of google_authenticator for "admin"
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: "/etc/openvpn/google-auth/admin" read
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: shared secret in "/etc/openvpn/google-auth/admin" processed
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: Invalid verification code for admin
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: "/etc/openvpn/google-auth/admin" written
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_release_ctx() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_destroy_ctx() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_close_db() called.
if I user command like:
pamtester openvpn admin authenticate
Password & verification code: xxxxxxxxx
pamtester: Authentication failure
failure log:
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - option debug is set to ""
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_close_db() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_sm_authenticate() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_open_db() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_open_db() returning 0.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_check_passwd() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_format_string() called
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_quick_escape() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - SELECT password FROM openvpn WHERE username = 'admin' AND (active=1)
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_check_passwd() returning 6.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_sql_log() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_sql_log() returning 0.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_sm_authenticate() returning 7.
Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: start of google_authenticator for "admin"
Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: "/etc/openvpn/google-auth/admin" read
Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: shared secret in "/etc/openvpn/google-auth/admin" processed
Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: no scratch code used from "/etc/openvpn/google-auth/admin"
Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: Accepted google_authenticator for admin
Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: "/etc/openvpn/google-auth/admin" written
Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_release_ctx() called.
Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_destroy_ctx() called.
Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_close_db() called.
if remove auth required pam_mysql.so user......, openvpn is ok for google otp.
how to user username + password & google otp access openvpn ? thx
Can't be build on CentOS 6
Hello Nigel,
i had the pam-mysql module successfully build before your commit on Nov 2016. Before the configure script was already there and the make process happened to work without any problems.
Now with 0.8.1 that doesn't work anymore:
# autoreconf -f -i --verbose
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
autoreconf: running: /usr/bin/autoconf --force
configure.ac:45: error: possibly undefined macro: AC_DEFINE
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1
If i add m4_pattern_allow([AC_DEFINE]) to configure.ac, it works to reconf:
# autoreconf -f -i --verbose
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
autoreconf: running: /usr/bin/autoconf --force
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:6: unknown warning category `no-extra-portability'
autoreconf: Leaving directory `.'
But there are some macros not getting replaces correctly:
# ./configure --prefix=/usr --with-pam-mods-dir=/lib64/security --with-openssl
[...]
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking for size_t... yes
checking whether ELOOP is declared... yes
checking whether EOVERFLOW is declared... yes
checking for library containing socket... none required
checking for getaddrinfo... yes
./configure: line 13662: PAM_MYSQL_CHECK_IPV6: command not found
./configure: line 13663: PAM_MYSQL_CHECK_GETHOSTBYNAME_R: command not found
./configure: line 13669: syntax error near unexpected token `"$withval"'
./configure: line 13669: ` PAM_MYSQL_CHECK_LIBMYSQLCLIENT("$withval")'
In the generated configure i see the problem:
PAM_MYSQL_CHECK_IPV6
PAM_MYSQL_CHECK_GETHOSTBYNAME_R
# Check whether --with-mysql was given.
if test "${with_mysql+set}" = set; then
withval=$with_mysql;
PAM_MYSQL_CHECK_LIBMYSQLCLIENT("$withval")
else
PAM_MYSQL_CHECK_LIBMYSQLCLIENT(/usr /usr/local /usr/mysql /opt/mysql)
fi
# Check whether --with-openssl was given.
if test "${with_openssl+set}" = set; then
withval=$with_openssl;
else
with_openssl=check
fi
Do you have any clue on how to build on CentOS ?
Thank you!
pam_MySQL is only querying the database if the username has a login account.
I am having a hard time getting pam_MySQL to work completely for me. I am using cyrus-sasl2 with MECH pam. If I run the command saslautd -u robert -p secret -s imap (a valid login account on my machine,) pam_MySQL will query the database. If I enter the command saslauthd -u robert -r mydomain.com -p secret -s imap no query is performed and the entry in /var/log/secure is 'pam_mysql - required option "user" is not set.'
Any ideas on what I can check or am doing wrong?
local my_make_scrambled_password() != mysqlclient's my_make_scrambled_password()
I think there is some confusion going on, even upstream, regarding these functions that unfortunately have very similar (long) names:
make_scrambled_password()
my_make_scrambled_password()
my_make_scrambled_password_sha1()
This is the current status:
make_scrambled_password(): wrapper for my_make_scrambled_password_sha1(). Produces hex text output.
my_make_scrambled_password(): something entirely different. Produces a non-hexified hash
pam_mysql's my_make_scrambled_password(): seems to mimick upstream's my_make_scrambled_password_sha1()
Bottom line, using upstream's my_make_scrambled_password() with a 42 byte buffer will lead to buffer overflows since it is not the same as my_make_scrambled_password_sha1() or the one reimplemented in pam_mysql.c. Upstream's my_make_scrambled_password() takes a CRYPT_MAX_PASSWORD_SIZE len buffer and does not produce the same type of value that is stored in the table when the PASSWORD() SQL function is used.
I think upstream is nowadays just not exporting the correct function. They should probably export make_scrambled_password() which maps to my_make_scrambled_password_sha1(), but it's messy now. I added a comment to #80974
For pam_mysql, I suggest to use make_scrambled_password() from mysqlclient if it exists, and if not reimplement it as you are doing now, but with the name make_scrambled_password.
Last but not least, even if it weren't for the overflow problem, the authentication will never work because the output of my_make_scrambled_password() will never match the hexified hash stored on the server.
Support for secure Apache compatible password encryption
It would be very helpful to have at least one password encryption algorithm within pam-MySQL which is (very) secure and Apache compatible.
If I compare the password encryption algorithms between Apache (mod_authn_dbd)
plain text, MD5 (salted, Apache variant), SHA1 (not salted), CRYPT, bcrypt
and pam-MySQL
crypt (plain text), crypt, MD5 (not salted), SHA1 (not salted), Drupal7 (salted), use_323_passwd, MySQL
there are no high secure algorithms in common. SHA1 without salt seems to be the most secure algorithm for both, but SHA1 not very secure.
Debian/Jessie error: possibly undefined macro: AC_MSG_ERROR
Hello, tried to compile the module under Debian Jessie. See compiling commands and error bellow.
Probably forgot to install something, still I need your help on it.
apt-get install -y autoconf automake build-essential libmysqlclient-dev libpam-dev libssl-dev
autoreconf -f -i
configure.ac:26: error: possibly undefined macro: AC_MSG_ERROR
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:45: error: possibly undefined macro: AS_IF
configure.ac:47: error: possibly undefined macro: AC_DEFINE
autoreconf: /usr/bin/autoconf failed with exit status: 1
Feature: Don't try_first_pass when password undefined
Hi there,
this is feature request:
When pam_mysql is the first module in a chain it always checks an unset password first, because try_first_pass is enabled by default. Disabling this speeds up things quite a bit.
Isn't there a way to detect if it's the first module or if the password never has been set (NULL instead of an empty string)?
IMHO it would be a nice feature to skip try_first_pass in such situations.
I'm not familiar to PAM internals, so I can't tell if this would be possible at all.
Cheers!
can't build in centos 7
OS: Centos 7
This is the error I get when trying to run ./configure --with-pam=/usr/include/security/ --with-pam-mods-dir=/usr/lib64/security/
configure: error: Cannot find pam headers. Please check if your system is ready for pam module development.
here is a list of my headers for pam
ls -la /usr/include/security/
total 84
drwxr-xr-x. 2 root root 4096 Aug 11 17:02 .
drwxr-xr-x. 45 root root 8192 Aug 14 12:05 ..
-rw-r--r--. 1 root root 3297 Nov 5 2016 pam_appl.h
-rw-r--r--. 1 root root 7239 Nov 5 2016 pam_client.h
-rw-r--r--. 1 root root 2972 Nov 5 2016 _pam_compat.h
-rw-r--r--. 1 root root 3631 Nov 5 2016 pam_ext.h
-rw-r--r--. 1 root root 1089 Nov 5 2016 pam_filter.h
-rw-r--r--. 1 root root 6109 Nov 5 2016 _pam_macros.h
-rw-r--r--. 1 root root 1526 Nov 5 2016 pam_misc.h
-rw-r--r--. 1 root root 6432 Nov 5 2016 pam_modules.h
-rw-r--r--. 1 root root 4745 Nov 5 2016 pam_modutil.h
-rw-r--r--. 1 root root 12904 Nov 5 2016 _pam_types.h
I have run the yum pam-devel package and it is installed along with several other devel packages need to build this.
compat_make_scrambled_password_323 error
Getting this error while compiling
pam_mysql.c: In function 'pam_mysql_check_passwd':
pam_mysql.c:3766:37: warning: implicit declaration of function 'compat_make_scrambled_password_323'; did you mean 'make_scrambled_password_323'? [-Wimplicit-function-declaration]
3766 | compat_make_scrambled_password_323(buf, passwd);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| make_scrambled_password_323
and then this error when trying to run it
PAM unable to dlopen(pam_mysql.so): /lib/security/pam_mysql.so: undefined symbol: compat_make_scrambled_password_323
undefined symbol: pam_set_data
When using the latest stable, v0.8.0, I get
PAM unable to dlopen(pam_mysql.so): /lib/security/pam_mysql.so: undefined symbol: pam_set_data
when trying to authenticate the openvpn connection.
I noticed a commit, "Link the module with the PAM library", commit 6d5d20b..
I used this commit instead of latest stable and now it is working.
To summarise I cant use the latest commit since I get undefined symbols for SHA1Init or SHA1Final (previous issue I submitted), and I cant use the latest stable since I get undefined symbol: pam_set_data.
Thank you very much for the very good commit message! I would never have found this otherwise! :)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.