 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Wed, 18 Sep 2013 17:39:47 +1000 |
| Content-Type: | multipart/signed |
| Parts/Attachments: |
|
|
Ok, so replying to myself - I managed to figure this out...
On 18/09/2013 1:11 PM, Steven Haigh wrote:
> Hi all,
>
> I've been butting my head against this one for a while - so I figured
> its time to get help... ;)
>
> I'm trying to use pam_mysql to authenticate FTP users via PAM.
>
> I've edited the /etc/pam.d/vsftpd to contain:
> auth required pam_mysql.so config_file=/etc/vsftpd/vsftpd-mysql.conf
> crypt=1 verbose=1
> account required pam_mysql.so config_file=/etc/vsftpd/vsftpd-mysql.conf
> crypt=1 verbose=1
>
> The passwords are stored in a MySQL database as ssha512 format. This
> means they look something like:
> {SHA512-CRYPT}$6$qLv.........
Right here is where the problem was... crypt() fails when verifying them
- as it doesn't recognise the header {SHA512-CRYPT} from the result
MySQL returns.
To work around this, I altered what is returned in the query:
users.user_column = CONCAT(username, "@", domain)
users.password_column = REPLACE(password, '{SHA512-CRYPT}', '')
users.password_crypt = Y
The docs in /usr/share/doc/pam_mysql-0.7 are sparse, but helped me
figure out I could pass more than just column names in these fields.
>
> When I try to use this account, I see the following in /var/log/messages:
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_sm_authenticate() called.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db() called.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db()
> returning 0.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd()
> called.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_format_string()
> called
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_quick_escape()
> called.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - SELECT password FROM
> users WHERE CONCAT(username, "@", domain) = [log in to unmask]
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd()
> returning 6.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() called.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log()
> returning 0.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_converse() called.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db() called.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd()
> called.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_format_string()
> called
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_quick_escape()
> called.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - SELECT password FROM
> users WHERE CONCAT(username, "@", domain) = [log in to unmask]
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd()
> returning 6.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() called.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log()
> returning 0.
> Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_sm_authenticate()
> returning 7.
> Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_release_ctx()
> called.
> Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_destroy_ctx()
> called.
> Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_close_db() called.
>
> I can't find any real info on what pam_mysql_check_passwd() returning 6
> means - but I assume its a password check failure.
>
> My only thought is that somehow the password format supplied by the
> database (which works on dovecot) is different than expected by PAM...
>
> Does anyone have any thoughts on this?
>
--
Steven Haigh
Email: [log in to unmask]
Web: https://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
|
|
|
