From: Yann V. <ya...@in...> - 2002-06-27 07:10:02
|
On Wed, 26 Jun 2002 13:07:04 -0700 "Jefferson Cowart" <je...@co...> wrote: > The major issue that I foresee in doing this is that users that are > stored in /etc/passwd (root for example) will be unable to login as > they won't have that flag in the mysql db as they don't exist there. No problem. Just use "sufficient" rather than "required" in the account and auth lines in your PAM configuration. That lets you log on when either allows it. I just got pam_mysql to work on our server, which uses MD5 hashes (not md5 crypt). Here's a patch to make this work with OpenSSL, not just FreeBSD: Index: Makefile =================================================================== RCS file: /cvsroot/pam-mysql/pam_mysql/Makefile,v retrieving revision 1.1 diff -u -r1.1 Makefile --- Makefile 12 Oct 2000 18:52:27 -0000 1.1 +++ Makefile 27 Jun 2002 07:06:33 -0000 @@ -7,7 +7,8 @@ -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ - -Wshadow -pedantic -fPIC + -Wshadow -pedantic -fPIC -DHAVE_OPENSSL +export LDLIBS=-lcrypto export MKDIR=mkdir -p export LD_D=gcc -shared -Xlinker -x -L/usr/lib/mysql endif Index: pam_mysql.c =================================================================== RCS file: /cvsroot/pam-mysql/pam_mysql/pam_mysql.c,v retrieving revision 1.10 diff -u -r1.10 pam_mysql.c --- pam_mysql.c 19 Feb 2001 16:07:50 -0000 1.10 +++ pam_mysql.c 27 Jun 2002 07:06:33 -0000 @@ -25,6 +25,10 @@ */ #ifdef HAVE_MD5DATA #include <md5.h> +#else +#ifdef HAVE_OPENSSL +#include <openssl/md5.h> +#endif #endif #include <mysql/mysql.h> @@ -101,6 +105,21 @@ const char *newpass, int isRoot ); int breakArgs( const char *in, char **lhs, char **rhs ); +#ifdef HAVE_OPENSSL +void hexify(unsigned char *data, int len) +{ + int i=len*2; + unsigned char b; + + data[i]=0; + do { + b=data[--i>>1]; + b=((i&1)?b:b>>4)&0xf; + data[i]=b>9?'a'-10+b:'0'+b; + } while(i); +} +#endif + /* breakArgs() breaks up a long string argument into its component chunks, accounting for escape chars and quoted strings as PAM doesn't (yet). It also looks for name-value pairs, so it probably still won't go away @@ -365,6 +384,12 @@ if (md5buf != NULL) free(md5buf); break; +#else +#ifdef HAVE_OPENSSL + case 3: MD5(passwd, strlen(passwd), encryptedPass); + hexify(encryptedPass,MD5_DIGEST_LENGTH); + break; +#endif #endif /* HAVE_MD5DATA */ } @@ -524,6 +549,15 @@ md5buf = NULL; } break; +#else +#ifdef HAVE_OPENSSL + case 3: + encNew = malloc(MD5_DIGEST_LENGTH*2+1); + encNew[MD5_DIGEST_LENGTH*2]=0; + MD5(newpass, strlen(newpass), encNew); + hexify(encNew,MD5_DIGEST_LENGTH); + break; +#endif #endif default: encNew = malloc(sizeof('\0')); @@ -688,7 +722,7 @@ } else if ((!strcmp(myval, "2")) || (!strcasecmp(myval, "mysql"))) { options.crypt = 2; -#ifdef HAVE_MD5DATA +#if defined(HAVE_MD5DATA) || defined(HAVE_OPENSSL) } else if ((!strcmp(myval, "3")) || (!strcasecmp(myval, "MD5"))) { options.crypt = 3; |