Re: MaxDB and MD5/CRYPT Passwords

Wed, 11 Feb 2004 22:38:18 -0800 

Hi,

On Thu, 12 Feb 2004, Thomas Cataldo wrote:

> I see three solutions (the bad one, the hard one, and the workaround
> one) :
>  - bad : reset your password with crypt
>  - hard : hack pam support into x_server and get free beer

I patched some times ago SAPDB to use PAM to authenticate the system-user.
The patch is outdated and may not work correctly nowadays but it can give 
you hint how to do it.
It's attached.


CU,

   Wolfgang
--- SAPDB_ORG/sys/src/en/ven906c.orig   2002-08-09 13:50:02.000000000 +0200
+++ SAPDB_ORG/sys/src/en/ven906.c       2002-10-10 11:33:44.000000000 +0200
@@ -114,6 +114,10 @@
 #include <shadow.h>
 #endif /* HPUX | SUN | LINUX | NMP */
 
+#if defined(LINUX)
+#include <security/pam_appl.h>
+#endif /* LINUX - PAM */
+
 #if defined(AIX)
 #include <userpw.h>
 #endif /* AIX */
@@ -173,6 +177,69 @@
 FILE *xlogonError = 0;
 #endif /* DUMP_XLOGON_INFO */
 
+
+#if defined(LINUX)  /* PAM */
+
+struct userdata  {
+    char *username;
+    char *passwd;
+};
+
+static int
+PAM_conv ( int                        num_msg,
+           const struct pam_message **msg,
+           struct pam_response      **resp,
+           void                      *appdata_ptr )
+{
+    int                   replies  = 0;
+    struct pam_response  *reply    = NULL;
+    struct userdata      *p        = appdata_ptr;
+
+
+    if ( p == NULL )
+        return  PAM_SYSTEM_ERR;
+
+    reply = (struct pam_response*) malloc ( sizeof (struct pam_response) * num_msg );
+    if ( reply == NULL )
+        return PAM_CONV_ERR;
+
+    for ( replies = 0; replies < num_msg; replies++ ) {
+        switch (msg[replies]->msg_style) {
+
+        case PAM_PROMPT_ECHO_ON: /* assume it wants user name */
+            reply[replies].resp_retcode = PAM_SUCCESS;
+            reply[replies].resp = strdup ( p->username );
+            /* PAM frees resp */
+            break;
+
+        case PAM_PROMPT_ECHO_OFF: /* assume it wants password */
+            reply[replies].resp_retcode = PAM_SUCCESS;
+            reply[replies].resp = strdup ( p->passwd );
+            /* PAM frees resp */
+            break;
+
+        case PAM_TEXT_INFO:
+        case PAM_ERROR_MSG:
+            reply[replies].resp_retcode = PAM_SUCCESS;
+            reply[replies].resp = NULL;
+            break;
+
+        default:
+            free (reply);
+            return PAM_CONV_ERR;
+        } /* switch */
+    } /* for */
+
+    *resp = reply;
+    return PAM_SUCCESS;
+}
+
+static struct pam_conv PAM_conversation = {
+    &PAM_conv,      /* address of our interface function */
+    NULL
+};
+#endif /* LINUX - PAM */
+
 /*----------------------------------------*/
     #undef MF__
     #define MF__ MOD__"sqlxlogon"
@@ -183,6 +250,11 @@
     tsp9_rte_xerror *xerror )
 {
     struct passwd *pwEntry;
+#if defined(LINUX)  /* PAM */
+    pam_handle_t *pamh = NULL;
+    int retval;
+    struct userdata *p;
+#endif /* LINUX - PAM */
 
 #ifdef DUMP_XLOGON_INFO
 
@@ -236,9 +308,32 @@
      * is a job only a setuid root program can do.
      * Therefore IF THIS will be added, the searching should be
      * put into an external process...
+     *
+     * the statement above is not true on systems using PAM
      */
     if ( passwd )
     {
+#if defined(LINUX)  /* PAM */
+        /* create structure for Pam conv */
+        p->username = username;
+        p->passwd   = passwd;
+       PAM_conversation.appdata_ptr = p;
+
+        retval = pam_start("sapdb", username, &PAM_conversation, &pamh);
+        
+        if (retval == PAM_SUCCESS)
+           retval = pam_authenticate(pamh, 0);
+
+        if (retval == PAM_SUCCESS)
+           retval = pam_acct_mgmt(pamh, 0);
+
+        if (retval != PAM_SUCCESS) {
+            DUMP_ERR_0("PAM login failed\n");
+           return;        
+        }
+        
+        pam_end(pamh, retval);
+#else
         const char *CryptedPassword = en906_FindCryptedPassword(username, pwEntry);
         const char *GeneratedPassword = "";
 
@@ -265,6 +360,8 @@
                         CryptedPassword, GeneratedPassword )
             return;
         }
+#endif
+
     }
     else
     {
--- SAPDB_ORG/sys/desc/dbmsrv.lnk.orig  Thu Mar  6 22:30:56 2003
+++ SAPDB_ORG/sys/desc/dbmsrv.lnk       Thu Mar  6 22:32:00 2003
@@ -109,4 +109,7 @@
 &if $OSSPEC in [ SVR4, LINUX ]
 -ldl
 &endif
+&if $OSSPEC == LINUX
+  -lpam
+&endif
 &endif
--- SAPDB_ORG/sys/desc/lserver.lnk.orig Thu Mar  6 22:32:53 2003
+++ SAPDB_ORG/sys/desc/lserver.lnk      Thu Mar  6 22:34:14 2003
@@ -98,7 +98,9 @@
 &if $OSSPEC == LINUX && $MACH == IA64
   -lncurses
 &endif
-
+&if $OSSPEC == LINUX
+  -lpam
+&endif
 
 &if $OS = UNIX   
 inlib                               # date, time conversion ( vin41 )  
--- SAPDB_ORG/sys/desc/dbmcli.lnk.orig  Thu Mar  6 22:35:20 2003
+++ SAPDB_ORG/sys/desc/dbmcli.lnk       Thu Mar  6 22:36:07 2003
@@ -158,6 +158,9 @@
 &if $OSSPEC in [ SVR4, LINUX ]
 -ldl
 &endif
+&if $OSSPEC == LINUX
+  -pam
+&endif
 #------------------------
 &endif
 #------------------------
--- SAPDB_ORG/sys/desc/dbmcperl.dld.orig        Thu Mar  6 22:36:47 2003
+++ SAPDB_ORG/sys/desc/dbmcperl.dld     Thu Mar  6 22:37:35 2003
@@ -69,3 +69,7 @@
 # need support for shadow passwords
   -lsecurity
 & endif
+& if $OSSPEC == LINUX
+  -lpam
+  -ldl
+& endif
--- SAPDB_ORG/sys/desc/webdbm.dld.orig  Thu Mar  6 22:38:45 2003
+++ SAPDB_ORG/sys/desc/webdbm.dld       Thu Mar  6 22:39:37 2003
@@ -80,3 +80,7 @@
   -lsecurity
   -lpthread
 & endif
+& if $OSSPEC == LINUX
+  -ldl
+  -lpam
+& endif

-- 
MaxDB Discussion Mailing List
For list archives: http://lists.mysql.com/maxdb
To unsubscribe:    http://lists.mysql.com/[EMAIL PROTECTED]

Reply via email to