I've used pam_mysql till today so I have lot of users' password encoded with PASSWORD() Mysql function [no text version]. Can I use PASSWORD instead of CRYPT?? How to configure libnss-mysql to use PASSWORD()?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
libnss-mysql only gets the password from the DB and passes it on to the requestor (most of the time that is pam_unix). pam_unix only supports crypt or md5 on most operating systems.
You will have to recrypt your passes or hack pam_unix.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
All NSS libraries require the password to be returned in a format the OS can understand. In the case of linux, that's either a DES or MD5 crypt. There's nothing I can do about that :-( That said, as long as the database schema you set up works with both libnss-mysql and pam_mysql, you can use pam_mysql in *conjuction* with libnss-mysql. libnss-mysql would then act not as an authentication mechanism, but as a naming source (e.g. provides user id/home directory/gecos/etc mapping).
I've not tried this myself yet.
I also want to put together my own pam_mysql module but haven't for various reasons.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I can't use both :(
I reconfigured pop3 to use pam_mysql again and everything works fine. When I added mysql to nsswich.conf pop stoped working. /etc/pam.d/pop contains only pam_mysql lines. So after sucessful autherization with pam_mysql system tries to authorize with libnss but I don't know why.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Second problem is with users which exist in mysql and passwd. Correct me if I'm worng but when password from /etc/passwd doesn't match then authentication stops? (or try to authenticate with mysql)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
OK I'm trying to reproduce this.. I don't have RHEL 3 so I"m testing on RHL 8.0 .. what's messed up is I can't get ipop3d to even *initiate* pam (no debug output in my /var/log/maillog) unless 'mysql' *is* specified in /etc/nsswitch.conf. Authentication fails, but I'd like to get to the point where auth doesn't fail using ONLY pam. . which I can't seem to do :-( I"ll have to work on this some more ...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've even tried adding the auth line to 'other' and 'system-auth' just in case.. no dice. There must be something wrong with my installation of wu-imap ... (I compiled it with 'make lnp' SSLTYPE=none)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
OK here we go. After a few offline emails, I think I've got it...
I've got my system with libnss-mysql and pam_mysql working great. The head-scratching was not realizing the user needs to exist *somewhere* as a full user with uid/homedir/etc (e.g. /etc/password or in MySQL with libnss-mysql). SO, now at this point, I'm not sure why YOURS won't co-exist. We'll have to continue tackling that one. If you have PAM set up for MySQL *and* nsswitch set up for MySQL, (and pam_mysql compiled in debug mode), what debug messages do you get when you try to log in? I'd like to know if pam_mysql's getting called and what it's return value is.
You had another question:
Second problem is with users which exist in mysql and passwd. Correct me if I'm worng but when password from /etc/passwd doesn't match then authentication stops? (or try to authenticate with mysql)
--- It depends on how you set up nsswitch.conf. It's far too complex for me to get into here, so take a peek at this url:
Note, however, that this does NOT affect PAM. If you keep PAM set up the way you have it now, it won't matter if you have a user defined in both places (from a password point of view. If the two sources have different UIDs for the user, one will override the other).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've used pam_mysql till today so I have lot of users' password encoded with PASSWORD() Mysql function [no text version]. Can I use PASSWORD instead of CRYPT?? How to configure libnss-mysql to use PASSWORD()?
AFAIK you can't.
libnss-mysql only gets the password from the DB and passes it on to the requestor (most of the time that is pam_unix). pam_unix only supports crypt or md5 on most operating systems.
You will have to recrypt your passes or hack pam_unix.
All NSS libraries require the password to be returned in a format the OS can understand. In the case of linux, that's either a DES or MD5 crypt. There's nothing I can do about that :-( That said, as long as the database schema you set up works with both libnss-mysql and pam_mysql, you can use pam_mysql in *conjuction* with libnss-mysql. libnss-mysql would then act not as an authentication mechanism, but as a naming source (e.g. provides user id/home directory/gecos/etc mapping).
I've not tried this myself yet.
I also want to put together my own pam_mysql module but haven't for various reasons.
I can't use both :(
I reconfigured pop3 to use pam_mysql again and everything works fine. When I added mysql to nsswich.conf pop stoped working. /etc/pam.d/pop contains only pam_mysql lines. So after sucessful autherization with pam_mysql system tries to authorize with libnss but I don't know why.
Huh, odd. Can you give me details (versions) on your system so I can try to duplicate? OS, pop3 server, pam_mysql, etc ..
RH Enterprise Edition 3
pop3d from imap-2002d-2
latest pam_mysql 0.5 http://sourceforge.net/project/showfiles.php?group_id=5741
config of /etc/pam/pop
auth required /lib/security/pam_mysql.so sqllog=0 user=nss-shadow passwd=*** host=localhost db=sysadmin table=user usercolumn=user_name passwdcolumn=password crypt=2 where=status=1
account required /lib/security/pam_mysql.so sqllog=0 user=nss-shadow passwd=*** host=localhost db=sysadmin table=user usercolumn=user_name passwdcolumn=password crypt=2 where=status=1
Second problem is with users which exist in mysql and passwd. Correct me if I'm worng but when password from /etc/passwd doesn't match then authentication stops? (or try to authenticate with mysql)
OK I'm trying to reproduce this.. I don't have RHEL 3 so I"m testing on RHL 8.0 .. what's messed up is I can't get ipop3d to even *initiate* pam (no debug output in my /var/log/maillog) unless 'mysql' *is* specified in /etc/nsswitch.conf. Authentication fails, but I'd like to get to the point where auth doesn't fail using ONLY pam. . which I can't seem to do :-( I"ll have to work on this some more ...
try /etc/pam.d/pop3 or pop-3
I remeber that in rh 6.2 I used /etc/pam.d/pop3
If you use ipop3d from source you should compile with pam
*nod*
I tried as many variations as I could :-)
lrwxrwxrwx 1 root root 3 Mar 27 10:02 ipop3d -> pop
-rw-r--r-- 1 root root 175 Mar 27 00:27 pop
lrwxrwxrwx 1 root root 3 Mar 27 10:02 pop3 -> pop
lrwxrwxrwx 1 root root 3 Mar 27 10:01 pop-3 -> pop
lrwxrwxrwx 1 root root 3 Mar 27 10:02 pop3d -> pop
It also doesn't explain why the pam module DOES get called when nsswitch points at mysql.
I've even tried adding the auth line to 'other' and 'system-auth' just in case.. no dice. There must be something wrong with my installation of wu-imap ... (I compiled it with 'make lnp' SSLTYPE=none)
try lrh
I rember that I had some problems too
lrh didn't work at all.. did you compile from source or are you using a RHEL 3.0 RPM?
both
I sent you a link to compiled version of ipop3d with PAM. Works ok on RHEL and RH9
OK here we go. After a few offline emails, I think I've got it...
I've got my system with libnss-mysql and pam_mysql working great. The head-scratching was not realizing the user needs to exist *somewhere* as a full user with uid/homedir/etc (e.g. /etc/password or in MySQL with libnss-mysql). SO, now at this point, I'm not sure why YOURS won't co-exist. We'll have to continue tackling that one. If you have PAM set up for MySQL *and* nsswitch set up for MySQL, (and pam_mysql compiled in debug mode), what debug messages do you get when you try to log in? I'd like to know if pam_mysql's getting called and what it's return value is.
You had another question:
Second problem is with users which exist in mysql and passwd. Correct me if I'm worng but when password from /etc/passwd doesn't match then authentication stops? (or try to authenticate with mysql)
--- It depends on how you set up nsswitch.conf. It's far too complex for me to get into here, so take a peek at this url:
http://www.gnu.org/software/libc/manual/html_node/NSS-Configuration-File.html#NSS%20Configuration%20File
Note, however, that this does NOT affect PAM. If you keep PAM set up the way you have it now, it won't matter if you have a user defined in both places (from a password point of view. If the two sources have different UIDs for the user, one will override the other).