Categories

Archives

Mon, 09 Jan 2006

pam-mysql 0.7RC1 is released.

The new release includes enhancements mostly, and several bug fixes.

ChangeLog:

  • Add a option "disconnect_every_op" option that forces pam_mysql to disconnect from the database every time a PAM operation is performed (PR #1325395).

  • Use geteuid() instead of getuid() to check if the current user is uthorized to change the password (PR #1338667).

  • Allow root (uid=0) to change the passwords of other users (PR #1338672).

You can download either one from the following URL:

Wed, 28 Sep 2005

pam-mysql 0.6.2 and 0.7pre3 are released.

The new releases include some crucial security fixes and the users are strongly urged to upgrade their installation.

Addressed security concerns:

  • Possible segmentation fault in the SQL logging facility, which can cause Denial-of-Service (DoS).

  • Flaws in the authentication and authentication token alteration code where incorrect treatment of the pointer returned by pam_get_item() were spotted. They can most likely induce DoS or possibly lead to more severe problems.

ChangeLog:

  • Changed handling of the "where" option to not escape meta characters (PR #1261484). (0.7pre3)

  • Overhauled the SQL logging facility (PR #1256243). (0.6.2, 0.7pre3)

  • Added logrhostcolumn (log.rhost_column) option that enables you to log the value of the "rhost" item specified by the application. (0.7pre3)

  • Fixed possible security flaw (0.7pre3)

  • Fixed memory leaks spotted when "config_file" option is used. (0.7pre3)

  • Fixed try_first_pass behaviour. (0.7pre3) ,

  • Changed option parsing behaviour so "=" following each option name is not needed. (0.7pre3)

You can download either one from the following URL:

Sun, 18 Sep 2005

pam-mysql 0.6.1 and 0.7pre2 are released.

pam-mysql 0.6.1 and 0.7pre2 are finally released. I would thank all the people who supported the project through bug reports, suggestions, etc..

New features:

  • SHA1 hash support. (0.7pre2)

  • Added "use_first_pass" and "try_first_pass" options to conform with the PAM convensions. (0.7pre2)

  • Added "use_323_passwd" option allows you to use an encryption function used in the old MySQL versions (3.23.x). (0.6.1, 0.7pre2)

Changes:

  • Changed column name handling to not escape meta characters to allow an expression in every XXXcolumn variable like "CONCAT(a, b, c)". (0.7pre2)

  • Fixed account management code that wouldn't work at all :-p (0.6.1, 0.7pre2)

  • Included pam_mysql.spec to the tarball by default. This enables you to make a RPM with the following oneliner. (0.6.1, 0.7pre2)

    rpmbuild -tb pam_mysql.tar.gz
  • Fixed compile failure that occurs with the old mysql_config (< 4.0.16). (0.6.1, 0.7pre2)

  • Fixed compile failure on Solaris when --with-openssl is specified to the configure script. (0.6.1, 0.7pre2)

Fri, 17 Jun 2005

Dealing with configure failure.

A user reported that configure did't work spewing the following error during config.status:

config.status: creating Makefile
sed: file .../subs-2.sed line 39: unterminated `s' command
config.status: creating config.h
config.status: executing default-1 commands

This happens when you use any old version (< 4.0.16) of MySQL. Although this is a bug and to be addressed in the next release, consider updating your MySQL installation.

Tue, 14 Jun 2005

Documentation errata

There are some errors found in the documentation bundled in the yesterday releases. This by no means indicates any implementation bug.

  1. README: add a description for the "md5" option, which makes pam_mysql use MD5 crypt with the "crypt" option set to "Y".

  2. README (0.7 only): in the description of the "config_file" option, "users.use_md5" directive is wrongly explained that its counterpart is "where" option. That is actually the "md5" option and "users.where_clause" is the correct directive that has "where" as its counterpart.

Sun, 12 Jun 2005

pam-mysql is back!

After days of silence since the last release, we're finally back!

The upcoming release, version 0.6, features the cool hybrid of contributions by many people and tons of bug fixes. The complete list of the changes is as follows:

  • Adopted autoconf / automake for build system. (moriyoshi)
  • Portable MD5 support by using OpenSSL / Cyrus-SASL. (moriyoshi)
  • MySQL library detection. (moriyoshi)
  • Added RPM spec file. (moriyoshi)
  • Tidied up the entire code for security and maintainability. (moriyoshi)
  • Modified log output to be more verbose. (moriyoshi)
  • Changed log facility type to LOG_AUTHPRIV as per the recommendation in the PAM documentation. Falls back to LOG_AUTH on the platform that lacks it. (moriyoshi)
  • Added support for unix socket and non-default ports. (moriyoshi)
  • Added account management and authentication token alteration code. moriyoshi)
  • Remove default values for string parameters for the sake of performance. moriyoshi)
  • Enhanced SQL logging function to log session state as well. (moriyoshi)
  • Solaris support. (moriyoshi)

We would thank all the people who helped us to get it out the door.

Moriyoshi