This patched version of pam-mysql (based on version
0.47) allows arbitary queries to be used into which the
username and passwords are substitued.
For example, one of my pam.d files is as follows:
auth required pam_mysql.so user=passwd_query
passwd=password db=my_db [query=select user_name from
internet_service where user_name='%u' and
password=MD5('%p') and service='web_proxy']
account required pam_mysql.so user=passwd_query
passwd=password db=my_db [query="select user_name from
internet_service where user_name='%u' and
password=MD5('%p') and service='web_proxy']
Surprisingly, a lot of cruft pertaining to the password
hashing algorithims is removed by implementing this
method of generating the query.
replacement pam_mysql.c file that implements flexible queries
Logged In: YES
user_id=995831
Will be supported in 0.7.
Logged In: YES
user_id=447183
Originator: YES
Note that sending the password in plain text to the database might be a bad idea if, for example, query logging is enabled. It would be good if it is still possible to hash the password prior to preparing the query so that the query doesn't need to contain the password in plain text.
This would be a great feature, I'm looking forward to see it in pam_mysql. In many cases you cannot change how passwords are stored in the DB (multiple hashes and salts, e.g. in MediaWiki).