checkpw.c crypt patch

David van Geest davidv at spindance.com
Tue Jul 21 16:05:46 EDT 2009


Patrick Ben Koetter wrote:
> * David van Geest <davidv at spindance.com>:
>   
>>> Use saslauthd -> PAM -> pam:mysql -> MySQL(crypted passwords)
>>>
>>> p at rick   
>>>       
>> Thanks Patrick!  I'm attempting what you suggest using pam:mysql.  My  
>> /etc/pam.d/smtp.postfix looks like this:
>>     
>
> saslauthd calls this? Usually it would be /etc/pam.d/smtp, because the service
> name is "smtp".
>   
Hmmmm yeah, that could be wrong.  I haven't actually tried it out yet, 
and it looks like every how-to except for the one I used has 'smtp'.  
Thanks for the correction.
>   
>> auth       optional     pam_mysql.so user=<mysql_username>  
>> passwd=<mysql_pw> host=host.domain db=<db_name> table=<user_table>  
>> usercolumn=<user_column> passwdcolumn=<user_pass_column> crypt=1
>> account    required     pam_mysql.so user=<mysql_username>  
>> passwd=<mysql_pw> host=host.domain db=<db_name> table=<user_table>  
>> usercolumn=<user_column> passwdcolumn=<user_pass_column> crypt=1
>>
>> A follow-up question:  how does this work when using a salt?  The DB  
>> admin wants to store the password hash and password salt in separate  
>> columns in MySQL, so it seems like I would need to add another option in  
>> the above lines to specify the salt column, so the salt value can be  
>> used with crypt().
>>     
>
> I personally haven't used "saslauthd -> PAM -> pam:mysql" before, so I can't
> give you any first hand experience. Maybe someone else can share their
> knowledge on this.
>
> p at rick
>   
Digging into this more, seems like using a salt isn't even possible.  Looking at the pam_mysql options on this page (http://pam-mysql.sourceforge.net/Documentation/package-readme.php?seemore=y) I don't see any way to add a salt from the DB into the crypt() function.  However, if somebody knows more about this, I'm all ears.

-David



More information about the Cyrus-sasl mailing list