I modified the pam_mysql.c file from Debian Etch, the libpam-mysql v0.6.5, to support REQUIRE SSL connections, and REQUIRE X509 connections. I haven't tested the X509 part, but the SSL connections work for me.
Three new options were added:
ca=/path/name
cert=/path/name
key=/path/name
ca: pathname to the certificate authority file.
cert: pathname to the certificate file.
key: pathname to the key file.
ca is the certificate for enabling a REQUIRES SSL connection, cert and key are
for a REQUIRES X509 connection.
I don't want to clog this thread with c code, or a diff, so I hosted the .tar.gz on http://www.ptraced.net/pam_mysql.tar.gz
This compressed tar includes the modified c file, from Debian Etch, and a diff file for patching. It also includes a small documentation on how to use these new options. The code isn't perfect, it's a quick hack that I pulled over a weekend, and it just works for me. Input and improvements are welcome!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Currently, this project doesn't support the use of certificates for a secure remote connection, as described in http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html
I modified the pam_mysql.c file from Debian Etch, the libpam-mysql v0.6.5, to support REQUIRE SSL connections, and REQUIRE X509 connections. I haven't tested the X509 part, but the SSL connections work for me.
Three new options were added:
ca=/path/name
cert=/path/name
key=/path/name
ca: pathname to the certificate authority file.
cert: pathname to the certificate file.
key: pathname to the key file.
ca is the certificate for enabling a REQUIRES SSL connection, cert and key are
for a REQUIRES X509 connection.
I don't want to clog this thread with c code, or a diff, so I hosted the .tar.gz on http://www.ptraced.net/pam_mysql.tar.gz
This compressed tar includes the modified c file, from Debian Etch, and a diff file for patching. It also includes a small documentation on how to use these new options. The code isn't perfect, it's a quick hack that I pulled over a weekend, and it just works for me. Input and improvements are welcome!