Re: [Pam-mysql-general] NSS-MySQL and Pam-MySQL

[Yann V. <ya...@in...>]

On Wed, 26 Jun 2002 13:07:04 -0700
"Jefferson Cowart" <je...@co...> wrote:

> The major issue that I foresee in doing this is that users that are
> stored in /etc/passwd (root for example) will be unable to login as
> they won't have that flag in the mysql db as they don't exist there.

No problem. Just use "sufficient" rather than "required" in the account
and auth lines in your PAM configuration. That lets you log on when
either allows it.

I just got pam_mysql to work on our server, which uses MD5 hashes (not
md5 crypt). Here's a patch to make this work with OpenSSL, not just
FreeBSD:

Index: Makefile
===================================================================
RCS file: /cvsroot/pam-mysql/pam_mysql/Makefile,v
retrieving revision 1.1
diff -u -r1.1 Makefile
--- Makefile    12 Oct 2000 18:52:27 -0000      1.1
+++ Makefile    27 Jun 2002 07:06:33 -0000
@@ -7,7 +7,8 @@
        -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \
        -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \
        -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs
-Winline \
-       -Wshadow -pedantic -fPIC
+       -Wshadow -pedantic -fPIC -DHAVE_OPENSSL
+export LDLIBS=-lcrypto
 export MKDIR=mkdir -p
 export LD_D=gcc -shared -Xlinker -x -L/usr/lib/mysql
 endif
Index: pam_mysql.c
===================================================================
RCS file: /cvsroot/pam-mysql/pam_mysql/pam_mysql.c,v
retrieving revision 1.10
diff -u -r1.10 pam_mysql.c
--- pam_mysql.c 19 Feb 2001 16:07:50 -0000      1.10
+++ pam_mysql.c 27 Jun 2002 07:06:33 -0000
@@ -25,6 +25,10 @@
  */
 #ifdef HAVE_MD5DATA
 #include <md5.h>
+#else
+#ifdef HAVE_OPENSSL
+#include <openssl/md5.h>
+#endif
 #endif
 
 #include <mysql/mysql.h>
@@ -101,6 +105,21 @@
        const char *newpass, int isRoot );
 int breakArgs( const char *in, char **lhs, char **rhs );
 
+#ifdef HAVE_OPENSSL
+void hexify(unsigned char *data, int len)
+{
+       int i=len*2;
+       unsigned char b;
+
+       data[i]=0;
+       do {
+               b=data[--i>>1];
+               b=((i&1)?b:b>>4)&0xf;
+               data[i]=b>9?'a'-10+b:'0'+b;
+       } while(i);
+}
+#endif
+
 /* breakArgs() breaks up a long string argument into its component
chunks,
    accounting for escape chars and quoted strings as PAM doesn't (yet).
    It also looks for name-value pairs, so it probably still won't go
away
@@ -365,6 +384,12 @@
                        if (md5buf != NULL)
                                free(md5buf);
                        break;
+#else
+#ifdef HAVE_OPENSSL
+               case 3: MD5(passwd, strlen(passwd), encryptedPass);
+                       hexify(encryptedPass,MD5_DIGEST_LENGTH);
+                       break;
+#endif
 #endif /* HAVE_MD5DATA */
        }
 
@@ -524,6 +549,15 @@
                                md5buf = NULL;
                        }
                break;
+#else
+#ifdef HAVE_OPENSSL
+               case 3:
+                       encNew = malloc(MD5_DIGEST_LENGTH*2+1);
+                       encNew[MD5_DIGEST_LENGTH*2]=0;
+                       MD5(newpass, strlen(newpass), encNew);
+                       hexify(encNew,MD5_DIGEST_LENGTH);
+               break;
+#endif
 #endif
                default:
                        encNew = malloc(sizeof('\0'));
@@ -688,7 +722,7 @@
                                } else if ((!strcmp(myval, "2")) ||
                                        (!strcasecmp(myval, "mysql"))) {
                                                options.crypt = 2;
-#ifdef HAVE_MD5DATA
+#if defined(HAVE_MD5DATA) || defined(HAVE_OPENSSL)
                                } else if ((!strcmp(myval, "3")) ||
                                        (!strcasecmp(myval, "MD5"))) {
                                                options.crypt = 3;