PAM-MySQL

The new release includes enhancements mostly, and several bug fixes.

ChangeLog:

• Add a option "disconnect_every_op" option that forces pam_mysql to disconnect from the database every time a PAM operation is performed (PR #1325395).

• Use geteuid() instead of getuid() to check if the current user is uthorized to change the password (PR #1338667).

• Allow root (uid=0) to change the passwords of other users (PR #1338672).

You can download either one from the following URL:

• pam_mysql-0.7RC1.tar.gz

From the package documentation:

1. What on earth is PAM anyway?
2. Are there any tools for changing passwords etc. that are in PAM-MySQL?
3. I need to retrieve misc. UNIX user information such as one's home directory coming from MySQL. Can pam-mysql do this?
4. How can I quickly tell in which way a given password is encrypted, PASSWORD(), CRYPT()-ed, or md5()?
5. I set up saslauthd (of Cyrus-SASL) to use PAM-MySQL for authentication and noticed some authentication mechanisms such as CRAM-MD5 don't work. Why?
6. PAM-MySQL is licensed under GNU Public License and I heard that GPL requires the program that links to a GPL'ed shared binary object at runtime also being covered by GPL. Is it safe to use PAM-MYSQL from a program with a license that is incompatible with GPL?
7. I was able to build PAM-MySQL without problems, but MD5 doesn't work. Why?
8. I could not build pam-mysql on Solaris with the official MySQL binary package. How can I fix this?

See more ...

The new releases include some crucial security fixes and the users are strongly urged to upgrade their installation.

Addressed security concerns:

• Possible segmentation fault in the SQL logging facility, which can cause Denial-of-Service (DoS).

• Flaws in the authentication and authentication token alteration code where incorrect treatment of the pointer returned by pam_get_item() were spotted. They can most likely induce DoS or possibly lead to more severe problems.

ChangeLog:

• Changed handling of the "where" option to not escape meta characters (PR #1261484). (0.7pre3)

• Overhauled the SQL logging facility (PR #1256243). (0.6.2, 0.7pre3)

• Added logrhostcolumn (log.rhost_column) option that enables you to log the value of the "rhost" item specified by the application. (0.7pre3)

• Fixed possible security flaw (0.7pre3)

• Fixed memory leaks spotted when "config_file" option is used. (0.7pre3)

• Fixed try_first_pass behaviour. (0.7pre3) ,

• Changed option parsing behaviour so "=" following each option name is not needed. (0.7pre3)

You can download either one from the following URL:

• pam_mysql-0.6.2.tar.gz

• pam_mysql-0.7pre3.tar.gz

pam-mysql 0.6.1 and 0.7pre2 are finally released. I would thank all the people who supported the project through bug reports, suggestions, etc..

New features:

• SHA1 hash support. (0.7pre2)

• Added "use_first_pass" and "try_first_pass" options to conform with the PAM convensions. (0.7pre2)

• Added "use_323_passwd" option allows you to use an encryption function used in the old MySQL versions (3.23.x). (0.6.1, 0.7pre2)

Changes:

• Changed column name handling to not escape meta characters to allow an expression in every XXXcolumn variable like "CONCAT(a, b, c)". (0.7pre2)

• Fixed account management code that wouldn't work at all :-p (0.6.1, 0.7pre2)

• Included pam_mysql.spec to the tarball by default. This enables you to make a RPM with the following oneliner. (0.6.1, 0.7pre2)

  rpmbuild -tb pam_mysql.tar.gz

• Fixed compile failure that occurs with the old mysql_config (< 4.0.16). (0.6.1, 0.7pre2)

• Fixed compile failure on Solaris when --with-openssl is specified to the configure script. (0.6.1, 0.7pre2)

A user reported that configure did't work spewing the following error during config.status:

config.status: creating Makefile
sed: file .../subs-2.sed line 39: unterminated `s' command
config.status: creating config.h
config.status: executing default-1 commands

This happens when you use any old version (< 4.0.16) of MySQL. Although this is a bug and to be addressed in the next release, consider updating your MySQL installation.

There are some errors found in the documentation bundled in the yesterday releases. This by no means indicates any implementation bug.

1. README: add a description for the "md5" option, which makes pam_mysql use MD5 crypt with the "crypt" option set to "Y".

2. README (0.7 only): in the description of the "config_file" option, "users.use_md5" directive is wrongly explained that its counterpart is "where" option. That is actually the "md5" option and "users.where_clause" is the correct directive that has "where" as its counterpart.

From the package documentation

See more ...

Until some up-to-date document is ready, we provide several old documents for reference.

See more ...

From the package documentation:

See more ...

After days of silence since the last release, we're finally back!

The upcoming release, version 0.6, features the cool hybrid of contributions by many people and tons of bug fixes. The complete list of the changes is as follows:

• Adopted autoconf / automake for build system. (moriyoshi)
• Portable MD5 support by using OpenSSL / Cyrus-SASL. (moriyoshi)
• MySQL library detection. (moriyoshi)
• Added RPM spec file. (moriyoshi)
• Tidied up the entire code for security and maintainability. (moriyoshi)
• Modified log output to be more verbose. (moriyoshi)
• Changed log facility type to LOG_AUTHPRIV as per the recommendation in the PAM documentation. Falls back to LOG_AUTH on the platform that lacks it. (moriyoshi)
• Added support for unix socket and non-default ports. (moriyoshi)
• Added account management and authentication token alteration code. moriyoshi)
• Remove default values for string parameters for the sake of performance. moriyoshi)
• Enhanced SQL logging function to log session state as well. (moriyoshi)
• Solaris support. (moriyoshi)

We would thank all the people who helped us to get it out the door.

Moriyoshi