Re: [Pam-mysql-general] [Patch][pam_mysql] HTTP Digest style hashes for pam_mysql

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Devendra,

Thanks for the contribution. The list is alive, but I had been away for
more than a couple of years due to kind of hard times in my jobs :)

Patch looks fine except the part using strcat(). As we should've already
known the lengths of the strings to concatenate up to there, so memcpy()
will suffice.

By the way, I've been convinced by a number of people for years that
some flexible querying mechanism should be implmented so that one can
send a SQL like

SELECT * FROM user WHERE cred=MD5("%u::%p")

But this also allows users to easily shoot their own foot off. Regarding
the example above, hashing of the credentials is performed on the MySQL
side and this might be insecure unless safe connection is established
between pam_mysql and the MySQL server through SSL or something like
that. That's especially why I hesitate to enable this in the next release.

Regards,
Moriyoshi

Devendra Gera wrote:
> Hi,
> We at Chaupaati wanted a trac deployment and pam_mysql seemed to provide
> a glue which would enable to share auth information with other
> components like shhd and openvpn.
> 
> The problem was that the AccountManager plugin for Trac uses HTTP Digest
> style hashes, which is base64(MD5("username::password")), since the
> realm is empty. pam_mysql - as you surely know does not hash passwords
> that way. So I wrote a patch based on 0.7RC1 downloaded from
> sourceforge.
> 
> I know it might not be terribly useful unless you're using Apache or the
> AccountManager plugin with Trac, but it was useful for us and it might
> be useful for others.
> 
> Please let me know if the patch is not well formed, or does not confirm
> to your style. I'd be happy to change any of that, or add more
> configuration options (like realm - _that_ will make it more useful!).
> 
> Please consider it as a first draft.
> 
> Btw, I looked for the pam_mysql mailing list but the last real message
> on it was more than a year ago. All you get there today is spam.
> 
> Thanks,
> 
> --gera.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIzqHnn2kh0Fq4e48RAmxpAJwIaIs3T8WG9BgiYgffzU6a93mlkACgjhks
W8LNmRMo4msU7IfWdFsY3h4=
=1IWS
-----END PGP SIGNATURE-----