Re: pam + mysql + vsftp
Ok, so replying to myself - I managed to figure this out...
On 18/09/2013 1:11 PM, Steven Haigh wrote:
Hi all,
I've been butting my head against this one for a while - so I figured
its time to get help... ;)
I'm trying to use pam_mysql to authenticate FTP users via PAM.
I've edited the /etc/pam.d/vsftpd to contain:
auth required pam_mysql.so config_file=/etc/vsftpd/vsftpd-mysql.conf
crypt=1 verbose=1
account required pam_mysql.so config_file=/etc/vsftpd/vsftpd-mysql.conf
crypt=1 verbose=1
The passwords are stored in a MySQL database as ssha512 format. This
means they look something like:
{SHA512-CRYPT}$6$qLv.
Right here is where the problem was... crypt() fails when verifying them
- as it doesn't recognise the header {SHA512-CRYPT} from the result
MySQL returns.
To work around this, I altered what is returned in the query:
users.user_column = CONCAT(username, @, domain)
users.password_column = REPLACE(password, '{SHA512-CRYPT}', '')
users.password_crypt= Y
The docs in /usr/share/doc/pam_mysql-0.7 are sparse, but helped me
figure out I could pass more than just column names in these fields.
When I try to use this account, I see the following in /var/log/messages:
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_sm_authenticate() called.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db() called.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db()
returning 0.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd()
called.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_format_string()
called
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_quick_escape()
called.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - SELECT password FROM
users WHERE CONCAT(username, @, domain) = 'ad...@wireless.org.au'
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd()
returning 6.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() called.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log()
returning 0.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_converse() called.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_open_db() called.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd()
called.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_format_string()
called
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_quick_escape()
called.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - SELECT password FROM
users WHERE CONCAT(username, @, domain) = 'ad...@wireless.org.au'
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_check_passwd()
returning 6.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log() called.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_mysql_sql_log()
returning 0.
Sep 18 13:03:43 www vsftpd[11368]: pam_mysql - pam_sm_authenticate()
returning 7.
Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_release_ctx()
called.
Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_destroy_ctx()
called.
Sep 18 13:03:45 www vsftpd[11368]: pam_mysql - pam_mysql_close_db() called.
I can't find any real info on what pam_mysql_check_passwd() returning 6
means - but I assume its a password check failure.
My only thought is that somehow the password format supplied by the
database (which works on dovecot) is different than expected by PAM...
Does anyone have any thoughts on this?
--
Steven Haigh
Email: net...@crc.id.au
Web: https://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
Fax: (03) 8338 0299
signature.asc
Description: OpenPGP digital signature
samba printer + auth
Hello all, I'm configuring a samba printer in cups: Printer CM4540_Safecom AuthInfoRequired username,password Info HP Color LaserJet CM4540 MFP MakeModel HP Color LaserJet CM4540 MFP Postscript (recommended) DeviceURI smb://URL State Idle StateTime 1379494304 Type 8425692 Filter application/vnd.cups-raw 0 - Filter application/vnd.cups-command 0 commandtops Filter application/vnd.cups-postscript 0 - Accepting Yes Shared No JobSheets none none QuotaPeriod 0 PageLimit 0 KLimit 0 OpPolicy default ErrorPolicy stop-printer /Printer and its ppd file is located at : # ls /etc/cups/ppd/ CM4540_Safecom.ppd In theory, every time I try to print I should see a dialog box asking for user/passwd (it works in other distros like fedora), but it never happens in SL 6.3 and then jobs are held with the error: Session setup failed: NT_STATUS_UNSUCCESSFUL Am I missing some configuration/package for this kind of configuration? # rpm -qa|egrep '^cups|^samba'|sort cups-1.4.2-50.el6_4.4.x86_64 cups-libs-1.4.2-50.el6_4.4.i686 cups-libs-1.4.2-50.el6_4.4.x86_64 samba-3.6.9-151.el6.x86_64 samba-client-3.6.9-151.el6.x86_64 samba-common-3.6.9-151.el6.x86_64 samba-winbind-3.6.9-151.el6.x86_64 samba-winbind-clients-3.6.9-151.el6.x86_64 TIA, Arnau
Is there any reason why Kudzu rpm is not part of SL
Hi All, I am trying to use the SL for my application environment and using SL for the same When I install SL , I have found that Kudzuis not part of the SL Is there any reason why this is removed in SL? Regards, Arul
Re: dhclient configuration
Tom, Just a couple of comments: It sounds like you have one device that is acting like the DSL modem, and a NAT router. Is that correct you have a single box? If so what is the make model? It also seems like this device seems like it thinks it can act as a DNS server, perhaps caching or just forwarding. I suspect there is some set up for that. I found this page www.cyberciti.biz/faq/dhclient-etcresolvconf-hooks/ which offers a few ways to use static dns addresses rather than get them from DHCP. I personally like Option #3. Joe On 09/17/2013 03:26 PM, Tom Rosmond wrote: Shane, Unfortunately, your suggestion didn't make any difference. But your observation about my modem being misconfigured is probably correct, and I have been looking at all the settings to see what could be the source of the trouble. Nothing apparent yet. Maybe I need a new modem. BTW, I didn't see the 'not available' response for port 53, which makes sense I guess since I still see the delay. And I am pretty sure port 53 is correct. Frustrating. Thanks, T. Rosmond On Tue, 2013-09-17 at 22:33 +0100, Shane Voss wrote: On 17/09/13 21:24, Tom Rosmond wrote: Last weekend I posted the thread 'slow loading browser homepage'. I got useful feedback from several people that helped narrow the problem to the order that nameservers are listed in my 'dhclient-eth0.leases' file. It has the line: option domain-name-servers 192.168.0.1,216.177.225.9; It looks to me as if your dhcp server is misconfigured. I presume this is the modem. So the proper solution is to persuade that modem not to list itself as a DNS server. One hack that might work around this is to use iptables to prevent yourself sending DNS requests to the modem: iptables -A OUTPUT -d 192.168.0.1 -p tcp --dport 53 -j REJECT iptables -A OUTPUT -d 192.168.0.1 -p udp --dport 53 -j REJECT The REJECT should result in an immediate response saying that port is not available, rather than a delay waiting for it to respond. If that works, you can make the firewall rules permanent thus: service iptables save chkconfig iptables on Shane
RE: afs client startup script error
As I read it the afs startup script in /etc/rc.d/init.d/afs does not permit the case of a cell not being in the CellServDB file even if you enable ENABLE_AFSDB to append the -afsdb command line switch. yes, that check has been there ~forever. If it's a problem for you, you can either provide a CellServDB with your cell included or remove the check from the init script. If that is the case then /usr/vice/etc/CellServDB needs to be %config(noreplace) in the RPM spec or it'll get updated the next time openafs-client updates which would, again, kill AFS on the client. I ran in to this issue with our private cell and rolled a new set of RPMs with this directive set and froze all clients from updating AFS. ~Aaron
Re: Is there any reason why Kudzu rpm is not part of SL
On 18 September 2013 03:09, Edison, Arul (GE Healthcare) aruljeyananth.jamesedi...@ge.com wrote: Hi All, I am trying to use the SL for my application environment and using SL for the same When I install SL , I have found that Kudzuis not part of the SL Is there any reason why this is removed in SL? Regards, Arul Kudzu was a relic program from the Red Hat Linux days and was superceded by first HAL and then udev. You will need to use them for detecting hardware and such -- Stephen J Smoogen.
