Ok, so replying to myself - I managed to figure this out... On 18/09/2013 1:11 PM, Steven Haigh wrote: > Hi all, > > I've been butting my head against this one for a while - so I figured > its time to get help... ;) > > I'm trying to use pam_mysql to authenticate FTP users via PAM. > > I've edited the /etc/pam.d/vsftpd to contain: > auth required pam_mysql.so config_file=/etc/vsftpd/vsftpd-mysql.conf > crypt=1 verbose=1 > account required pam_mysql.so config_file=/etc/vsftpd/vsftpd-mysql.conf > crypt=1 verbose=1 > > The passwords are stored in a MySQL database as ssha512 format. This > means they look something like: > {SHA512-CRYPT}$6$qLv.........
Right here is where the problem was... crypt() fails when verifying them - as it doesn't recognise the header {SHA512-CRYPT} from the result MySQL returns. To work around this, I altered what is returned in the query: users.user_column = CONCAT(username, "@", domain) users.password_column = REPLACE(password, '{SHA512-CRYPT}', '') users.password_crypt = Y The docs in /usr/share/doc/pam_mysql-0.7 are sparse, but helped me figure out I could pass more than just column names in these fields. > > When I try to use this account, I see the following in /var/log/messages: > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_sm_authenticate() called. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db() called. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db() > returning 0. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd() > called. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_format_string() > called > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_quick_escape() > called. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - SELECT password FROM > users WHERE CONCAT(username, "@", domain) = 'ad...@wireless.org.au' > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd() > returning 6. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() called. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() > returning 0. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_converse() called. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db() called. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd() > called. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_format_string() > called > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_quick_escape() > called. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - SELECT password FROM > users WHERE CONCAT(username, "@", domain) = 'ad...@wireless.org.au' > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd() > returning 6. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() called. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() > returning 0. > Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_sm_authenticate() > returning 7. > Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_release_ctx() > called. > Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_destroy_ctx() > called. > Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_close_db() called. > > I can't find any real info on what pam_mysql_check_passwd() returning 6 > means - but I assume its a password check failure. > > My only thought is that somehow the password format supplied by the > database (which works on dovecot) is different than expected by PAM... > > Does anyone have any thoughts on this? > -- Steven Haigh Email: net...@crc.id.au Web: https://www.crc.id.au Phone: (03) 9001 6090 - 0412 935 897 Fax: (03) 8338 0299
signature.asc
Description: OpenPGP digital signature