checkpw.c crypt patch

Dan White dwhite at
Tue Jul 21 17:10:49 EDT 2009

David van Geest wrote:
>> I personally haven't used "saslauthd -> PAM -> pam:mysql" before, so 
>> I can't
>> give you any first hand experience. Maybe someone else can share their
>> knowledge on this.
>> p at rick
> Digging into this more, seems like using a salt isn't even possible.  
> Looking at the pam_mysql options on this page 
> ( 
> I don't see any way to add a salt from the DB into the crypt() 
> function.  However, if somebody knows more about this, I'm all ears.
> -David

I also have not used mysql in this type of environment, but I think you 
should be able to accomplish what you want by doing saslauthd -> PAM -> 
NSS (pam_unix) -> NSS-MySQL

The nss library should have the knowledge of how to find the salt in the 
first two bytes of the crypt'd password.

I use an ldap nss module in a similar fashion, and my /etc/nsswitch.conf 
looks like:

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

and in my /etc/pam.d/imap:

auth    required nullok_secure

and my saslauthd uses PAM for authentication.

Then you should be able to insert any password into MySQL that would be 
valid for your /etc/shadow file.

- Dan

More information about the Cyrus-sasl mailing list