Categories

Archives

Wed, 28 Sep 2005

FAQ

From the package documentation:

  1. What on earth is PAM anyway?
  2. Are there any tools for changing passwords etc. that are in PAM-MySQL?
  3. I need to retrieve misc. UNIX user information such as one's home directory coming from MySQL. Can pam-mysql do this?
  4. How can I quickly tell in which way a given password is encrypted, PASSWORD(), CRYPT()-ed, or md5()?
  5. I set up saslauthd (of Cyrus-SASL) to use PAM-MySQL for authentication and noticed some authentication mechanisms such as CRAM-MD5 don't work. Why?
  6. PAM-MySQL is licensed under GNU Public License and I heard that GPL requires the program that links to a GPL'ed shared binary object at runtime also being covered by GPL. Is it safe to use PAM-MYSQL from a program with a license that is incompatible with GPL?
  7. I was able to build PAM-MySQL without problems, but MD5 doesn't work. Why?
  8. I could not build pam-mysql on Solaris with the official MySQL binary package. How can I fix this?

  • Q. What on earth is PAM anyway?

    A. PAM is an acronym for Pluggable Authentication Modules. See http://www.kernel.org/pub/linux/libs/pam/whatispam.html for further information.

  • Q. Are there any tools for changing passwords etc. ? Are they included in PAM-MySQL? (2005-06-15 updated!)

    A. You can use "passwd" program for that purpose. Note that pam-mysql doesn't permit password change without the root privilege (pid=0).

  • Q. I need to retrieve misc. UNIX user information such as one's home directory coming from MySQL. Can pam-mysql do this?

    A. No. As the name suggests, PAM is only involved in authentication that in principle has little to do with the account database itself. You need to use the nss-mysql module, which can be retrieved from here: http://savannah.nongnu.org/projects/nss-mysql

  • Q. How can I quickly tell in which way a given password is encrypted, PASSWORD(), CRYPT()-ed, or md5()?

    A. Try using the following MySQL functions: ENCRYPT(), PASSWORD() and md5(), and compare the results with each other.

      SELECT ENCRYPT('mypass'), PASSWORD('mypass'), MD5('mypass');
    
  • Q. I set up saslauthd (of Cyrus-SASL) to use PAM-MySQL for authentication and noticed some authentication mechanisms such as CRAM-MD5 don't work. Why?

    A. CRAM-MD5 are DIGEST-MD5 are Challenge-Response authentication mechanisms (indeed CRAM is short for Challange-Response Authentication Mechanism), plain-text passwords have to be supplied to the instance that handles authentication communication with the user (that is, the SASL client library), rather than the authenticator (the server). Therefore, it is not possible to use PAM with these mechanisms and then you need to configure Cyrus-SASL to have "SQL" auxprop plugin with MySQL support and specify "auxprop" for the preferred password checking method.

    For instance, if you want to use it in conjunction with Postfix, the SASL configuration file "smtpd.conf", which is put in the Cyrus-SASL's plugin directory (or the location included in the SASL_PATH environment variable), would look like the following:

    pwcheck_method: auxprop
    mech_list: plain login cram-md5 digest-md5
    sql_engine: mysql
    sql_database: sys
    sql_user: someuser
    sql_passwd: fubar
    sql_select: SELECT password FROM users WHERE name='%u' and domain='%r';
    

    Note that passwords should be stored in plain-text in this case.

  • Q. PAM-MySQL is licensed under GNU Public License and I heard that GPL requires the program that links to a GPL'ed shared binary object at runtime also being covered by GPL. Is it safe to use PAM-MYSQL from a program with a license that is incompatible with GPL?

    A. Our thought regarding this issue is that runtime dynamic linking itself is not an action to make a derivative work of anything that ends up in the physicial memory. No matter what GPL is like, and will be like, we exceptionally grant you a permanent and non-exclusive right to use a binary-formed derivative of PAM-MySQL in combination with any other programs.

  • Q. I was able to build PAM-MySQL without problems, but MD5 doesn't work. Why?

    A. You should have given --with-openssl option to the configure script. Make sure the development package of OpenSSL is installed.

  • Q. I could not build pam-mysql on Solaris with the official MySQL binary package. How can I fix this?

    A. You apparently got a binary package built with the Forte C compiler, which requires a different set of command-line options than the compiler (most likely GCC) you are now trying to build pam_mysql with. There are two options to deal with this problem:

    • Get the Forte C compiler and build pam-mysql with it.

    • Build MySQL from the source with the same compiler as the one that should be used to build pam-mysql.