I have a patch needed for cyrus-sasl that allows it to against MD5/DES passowrds in a in a MySQL database. The patch file /usr/portage/dev-libs/cyrus-sasl/files/cyrus-sasl-2.1.17-mysql-crypt.patch looks like: *** lib/checkpw.c.orig Thu Feb 13 14:07:23 2003 --- lib/checkpw.c Thu Feb 13 14:07:03 2003 *************** *** 145,151 **** "*cmusaslsecretPLAIN", NULL }; struct propval auxprop_values[3]; ! if (!conn || !userstr) return SASL_BADPARAM; --- 145,155 ---- "*cmusaslsecretPLAIN", NULL }; struct propval auxprop_values[3]; ! ! /* temporaries for encryption seed and result pointer */ ! char salt[13]; ! char *crypt_passwd = NULL; ! if (!conn || !userstr) return SASL_BADPARAM; *************** *** 182,193 **** goto done; } /* At the point this has been called, the username has been canonified * and we've done the auxprop lookup. This should be easy. */ if(auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] ! && !strcmp(auxprop_values[0].values[0], passwd)) { /* We have a plaintext version and it matched! */ return SASL_OK; } else if(auxprop_values[1].name --- 186,210 ---- goto done; } + /* encrypt the passwd and then compare it with the encrypted passwd */ + if(strlen(auxprop_values[0].values[0]) > 13) + { + /* MD5 */ + memcpy(salt,auxprop_values[0].values[0],13); + } + else + { + /* DES */ + memcpy(salt,auxprop_values[0].values[0],3); + } + crypt_passwd = crypt(passwd,salt); + /* At the point this has been called, the username has been canonified * and we've done the auxprop lookup. This should be easy. */ if(auxprop_values[0].name && auxprop_values[0].values && auxprop_values[0].values[0] ! && !strcmp(auxprop_values[0].values[0], crypt_passwd)) { /* We have a plaintext version and it matched! */ return SASL_OK; } else if(auxprop_values[1].name Here is the patch for the ebuild itself: *** cyrus-sasl-2.1.18.ebuild Mon May 17 05:26:25 2004 --- cyrus-sasl-2.1.18-r1.ebuild Mon May 17 06:23:20 2004 *************** *** 50,55 **** --- 50,58 ---- # Fix include path for newer PostgreSQL versions. epatch "${FILESDIR}/cyrus-sasl-2.1.17-pgsql-include.patch" + # Add support for encrypted passwords + use mysql && epatch "${FILESDIR}/cyrus-sasl-2.1.17-mysql-crypt.patch" + # Recreate configure. export WANT_AUTOCONF="2.5" rm -f configure config.h.in saslauthd/configure *************** *** 78,83 **** --- 81,87 ---- if [ "`use mysql`" -o "`use postgres`" ] ; then myconf="${myconf} --enable-sql" + echo sql enabled else myconf="${myconf} --disable-sql" fi *************** *** 87,92 **** --- 91,99 ---- myconf="${myconf} --with-dblib=berkeley" fi + # for crypt patch + use mysql && append-flags -lcrypt + # Compaq-sdk checks for -D_REENTRANT and -pthread takes care the cpp stuff. use alpha && append-flags -D_REENTRANT -pthread All these is needed for PostfixAdmin which stores user passwords as MD5 hashes within MySQL. This has been tested and works flawlessly. The postfixadmin ebuild will also need to depend on this version of cyrus-sasl. Reproducible: Always Steps to Reproduce: 1. 2. 3. emerge info Portage 2.0.50-r6 (default-amd64-2004.0, gcc-3.3.3, glibc-2.3.3_pre20040420-r0, 2.6.5-gentoo-r1) ================================================================= System uname: 2.6.5-gentoo-r1 x86_64 4 Gentoo Base System version 1.4.10 Autoconf: sys-devel/autoconf-2.59-r3 Automake: sys-devel/automake-1.8.3 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CFLAGS="-march=athlon-xp -mmmx -msse2 -O3 -pipe -m64 -mfpmath=sse -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=athlon-xp -mmmx -msse2 -O3 -pipe -m64 -mfpmath=sse -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="http://gentoo.oregonstate.edu http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl acpi amd64 apache2 apm arts avi crypt dedicated divx4linux dvb encode foomaticdb gdbm gif gpm imap imlib jpeg kde ldap libwww maildir mikmod motif mpeg mysql ncurses nls nogcj oggvorbis oss pam pdflib perl png python quicktime readline samba sasl sdl slang snmp speex spell ssl tcpd truetype vhosts xml2 xv zlib"
Looks like the patch oringinate fron this URL: http://www.viperstrike.com/~lopaka/sysadmin/cyrus-sasl-mysql-encrypt/software-sources/patch I really don't feel like to patch a third party's patch to cyrus-sasl. Maintainance headache. What if the patch not applied cleanly for the next cyrus-sasl? We have very limited resources, only one change from 2.1.17 already created a ton of bugs, we would try to avoid thing like that happen again. A similar patch get rejected: http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=5673 so I don't think it is good idea to include it in Gentoo. If people need this patch, they should know how to applied this patch easily. There are the a other way around to have your password encrypted in mysql using pam_mysql (I tested this method myself with cyrus-sasl-2.1.19). If you are interest, I'll post a mini howto somewhere. I'll leave the bug open for other devs to comment if their opinion is differ from mine. Otherwise, I'll closed as WONTFIX in a week. Best, Tuan
*** This bug has been marked as a duplicate of 45181 ***
Yea, it was based off a BSD patch that memleaked, I cleaned up the leak and removed the BSD specific stuff. I realized the shortcomings of this patch after I had forgotten about this bug submission. I only realized later that it broke CRAM-MD5 and a bunch of other authentication mechanisms. I'm trying to implement the same functionality using encode() inside of mysql but I'm not sure what the salt should be. Username? I would definitely be interest in a mini-howto on the matter. I'm using PostfixAdmin to manage many virtual domains which stores user passwords as md5 hashes I believe.
# emerge pam_mysql # cat /etc/sasl2/smtpd.conf ### saslauthd pwcheck_method: saslauthd mech_list: LOGIN PLAIN DIGEST-MD5 CRAM-MD5 # cat /etc/pam.d/saslauthd auth optional pam_mysql.so host=localhost db=mailsql user=mailsql \ passwd=somepass table=users usercolumn=email passwdcolumn=crypt crypt=1 account required pam_mysql.so host=localhost db=mailsql user=mailsql \ passwd=somepass table=users usercolumn=email passwdcolumn=crypt crypt=1 # less /usr/share/doc/pam_mysql-0.5/Readme.gz # for more info change the the options in /etc/pam.d/saslauthd to suit youur setup and you might have to change "crypt=2" if you are using MySQL PASSWORD() function. [quote from Readme] crypt(0) -- Used to decide to use MySQL's PASSWORD() function or crypt() 0 = No encryption. Passwords in database in plaintext. NOT recommended! 1 = Use crypt 2 = Use MySQL PASSWORD() function [/quote]
Created attachment 37326 [details, diff] pam_mysql-0.5.ebuild patch to -r1 This patch is needed for amd64 systems. Without the patch, the compilation goes like: gcc -march=k8 -O3 -pipe -Dlinux -DLINUX_PAM -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wshadow -pedantic -fPIC -DPAM_DYNAMIC -c pam_mysql.c -o dynamic/pam_mysql.o pam_mysql.c: In function `breakArgs': pam_mysql.c:157: warning: traditional C rejects ISO C style function definitions pam_mysql.c: In function `parseArgs': pam_mysql.c:233: warning: traditional C rejects ISO C style function definitions pam_mysql.c: In function `db_connect': pam_mysql.c:391: warning: traditional C rejects ISO C style function definitions pam_mysql.c: In function `db_close': pam_mysql.c:420: warning: traditional C rejects ISO C style function definitions pam_mysql.c: In function `db_checkpasswd': pam_mysql.c:429: warning: traditional C rejects ISO C style function definitions pam_mysql.c: In function `converse': pam_mysql.c:613: warning: traditional C rejects ISO C style function definitions pam_mysql.c:617: warning: dereferencing type-punned pointer will break strict-aliasing rules pam_mysql.c: In function `saltify': pam_mysql.c:636: warning: traditional C rejects ISO C style function definitions pam_mysql.c: In function `updatePasswd': pam_mysql.c:675: warning: traditional C rejects ISO C style function definitions pam_mysql.c: In function `askForPassword': pam_mysql.c:800: warning: traditional C rejects ISO C style function definitions pam_mysql.c: In function `sqlLog': pam_mysql.c:839: warning: traditional C rejects ISO C style function definitions pam_mysql.c: In function `pam_sm_authenticate': pam_mysql.c:982: warning: traditional C rejects ISO C style function definitions pam_mysql.c:1009: warning: dereferencing type-punned pointer will break strict-aliasing rules pam_mysql.c:1014: warning: dereferencing type-punned pointer will break strict-aliasing rules pam_mysql.c: In function `pam_sm_acct_mgmt': pam_mysql.c:1047: warning: traditional C rejects ISO C style function definitions pam_mysql.c: In function `pam_sm_setcred': pam_mysql.c:1057: warning: traditional C rejects ISO C style function definitions pam_mysql.c: In function `pam_sm_chauthtok': pam_mysql.c:1069: warning: traditional C rejects ISO C style function definitions pam_mysql.c:1113: warning: dereferencing type-punned pointer will break strict-aliasing rules pam_mysql.c:1120: warning: dereferencing type-punned pointer will break strict-aliasing rules pam_mysql.c:1147: warning: dereferencing type-punned pointer will break strict-aliasing rules pam_mysql.c:1158: warning: dereferencing type-punned pointer will break strict-aliasing rules pam_mysql.c:1173: warning: dereferencing type-punned pointer will break strict-aliasing rules pam_mysql.c:1180: warning: dereferencing type-punned pointer will break strict-aliasing rules pam_mysql.c: In function `pam_sm_open_session': pam_mysql.c:1201: warning: traditional C rejects ISO C style function definitions pam_mysql.c: In function `pam_sm_close_session': pam_mysql.c:1211: warning: traditional C rejects ISO C style function definitions With the patch it looks like: emerge pam_mysql gcc -march=k8 -O3 -pipe -Dlinux -DLINUX_PAM -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings -Wpointer-arith -Wcast-qual -Wcast-align -Wno-strict-aliasing -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wshadow -pedantic -fPIC -DPAM_DYNAMIC -c pam_mysql.c -o dynamic/pam_mysql.o gcc -shared -Xlinker -x -L/usr/lib/mysql -lz -o pam_mysql.so dynamic/pam_mysql.o -lmysqlclient -lcrypt >>> Install pam_mysql-0.5-r1 into /var/tmp/portage/pam_mysql-0.5-r1/image/ category sys-libs Should I make a new bug report for this? I am about to try using pam_mysql per your instructions.
Comment on attachment 37326 [details, diff] pam_mysql-0.5.ebuild patch to -r1 --- pam_mysql-0.5.ebuild 2004-06-24 18:37:03.000000000 -0500 +++ pam_mysql-0.5-r1.ebuild 2004-08-12 19:50:11.678534816 -0500 @@ -10,14 +10,14 @@ DEPEND=">=sys-libs/pam-0.72 >=dev-db/mysql-3.23.38" LICENSE="GPL-2" SLOT="0" -KEYWORDS="x86 ~ppc ~sparc ~alpha ~amd64" +KEYWORDS="x86 ~ppc ~sparc ~alpha amd64" src_unpack() { unpack ${A} || die cd ${S} || die - cp Makefile Makefile.orig - sed -e "s%-O2%${CFLAGS}%" Makefile.orig > Makefile + sed -e "s%-O2%${CFLAGS}%" Makefile > Makefile2 + sed -e "s%-Wtraditional%-Wno-strict-aliasing%" Makefile2 > Makefile #i dont think this is needed --woodchip #-e 's%^\(export LD_D=.*\)%\1 -lz%' \
Created attachment 37327 [details] correct patch 0.5 => 0.5-r1 I ran diff -u with the files in the wrong order. This should be the correct patch.
> Should I make a new bug report for this? Please do. pam_mysql is maintained by different herd. And your patch is about amd64 so you should assigned the bug to them and CC base-system@g.o.
I tried the setup you suggest, but cannot get it to authenticate. I keep getting the following errors: Aug 13 17:49:00 palace postfix/smtpd[11841]: sql_select option missing Aug 13 17:49:00 palace postfix/smtpd[11841]: auxpropfunc error no mechanism available Aug 13 17:49:00 palace postfix/smtpd[11841]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql Ideas? I noticed there was a pam_mysql USE option for cyrus-sasl 2.1.18 but not 2.1.19. I've tried them all and none worked.
Did you edit your /etc/conf.d/saslauthd SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam -r" and restart /etc/init.d/saslauthd ?
Apparently I missed the email for the reply to this. I did edit said file, and the -r (realm) option only works in 2.1.19 and later apparently. It looks like that error message is only printed when a smtpd process starts for the first time, here's a snip of the logfile: Aug 30 13:56:09 palace postfix/postfix-script: stopping the Postfix mail system Aug 30 13:56:09 palace postfix/master[18414]: terminating on signal 15 Aug 30 13:56:11 palace postfix/postfix-script: starting the Postfix mail system Aug 30 13:56:11 palace postfix/master[26062]: daemon started -- version 2.1.3 Aug 30 13:57:41 palace postfix/smtpd[26074]: sql_select option missing Aug 30 13:57:41 palace postfix/smtpd[26074]: auxpropfunc error no mechanism available Aug 30 13:57:41 palace postfix/smtpd[26074]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql Aug 30 13:57:41 palace postfix/smtpd[26074]: connect from vger.kernel.org[12.107.209.244] Aug 30 13:57:41 palace postfix/smtpd[26074]: BE4BA239F78: client=vger.kernel.org[12.107.209.244] Aug 30 13:57:41 palace postfix/cleanup[26079]: BE4BA239F78: message-id=<20040830182141.GB8990@mars.ravnborg.org> Aug 30 13:57:41 palace postfix/qmgr[26069]: BE4BA239F78: from=<linux-kernel-owner+heretic=40clanhk.org-S268251AbUH3SvM@vger.kernel.org>, size=2934, nrcpt=1 (queue active) Aug 30 13:57:48 palace postfix/smtpd[26084]: sql_select option missing Aug 30 13:57:48 palace postfix/smtpd[26084]: auxpropfunc error no mechanism available Aug 30 13:57:48 palace postfix/smtpd[26084]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql Aug 30 13:57:48 palace postfix/smtpd[26084]: connect from localhost[127.0.0.1] Aug 30 13:57:48 palace postfix/smtpd[26084]: 730E9239FFB: client=localhost[127.0.0.1] Aug 30 13:57:48 palace postfix/cleanup[26079]: 730E9239FFB: message-id=<20040830182141.GB8990@mars.ravnborg.org> Aug 30 13:57:48 palace postfix/qmgr[26069]: 730E9239FFB: from=<linux-kernel-owner+heretic=40clanhk.org-S268251AbUH3SvM@vger.kernel.org>, size=3377, nrcpt=1 (queue active) Aug 30 13:57:48 palace postfix/smtpd[26084]: disconnect from localhost[127.0.0.1] Aug 30 13:57:48 palace amavis[24224]: (24224-04) Passed, <linux-kernel-owner+heretic=40clanhk.org-S268251AbUH3SvM@vger.kernel.org> -> <heretic@clanhk.org>, Message-ID: <20040830182141.GB8990@mars.ravnborg.org>, Hits: 0 Aug 30 13:57:48 palace postfix/lmtp[26081]: BE4BA239F78: to=<heretic@clanhk.org>, relay=127.0.0.1[127.0.0.1], delay=7, status=sent (250 2.6.0 Ok, id=24224-04, from MTA: 250 Ok: queued as 730E9239FFB) Aug 30 13:57:48 palace postfix/qmgr[26069]: BE4BA239F78: removed Aug 30 13:57:48 palace postfix/virtual[26085]: 730E9239FFB: to=<heretic@clanhk.org>, relay=virtual, delay=0, status=sent (delivered to maildir) Aug 30 13:57:48 palace postfix/qmgr[26069]: 730E9239FFB: removed Aug 30 13:58:30 palace postfix/smtpd[26074]: 10B2E239FFB: client=vger.kernel.org[12.107.209.244] Aug 30 13:58:30 palace postfix/cleanup[26079]: 10B2E239FFB: message-id=<20040830181821.GQ19844@mea-ext.zmailer.org> Aug 30 13:58:30 palace postfix/qmgr[26069]: 10B2E239FFB: from=<linux-kernel-owner+heretic=40clanhk.org-S268219AbUH3Sww@vger.kernel.org>, size=3322, nrcpt=1 (queue active) Aug 30 13:58:33 palace postfix/smtpd[26074]: disconnect from vger.kernel.org[12.107.209.244] Aug 30 13:58:33 palace postfix/smtpd[26084]: connect from localhost[127.0.0.1] Aug 30 13:58:33 palace postfix/smtpd[26084]: 9742923A044: client=localhost[127.0.0.1] Aug 30 13:58:33 palace postfix/cleanup[26079]: 9742923A044: message-id=<20040830181821.GQ19844@mea-ext.zmailer.org> Aug 30 13:58:33 palace postfix/qmgr[26069]: 9742923A044: from=<linux-kernel-owner+heretic=40clanhk.org-S268219AbUH3Sww@vger.kernel.org>, size=3767, nrcpt=1 (queue active) Aug 30 13:58:33 palace postfix/smtpd[26084]: disconnect from localhost[127.0.0.1] Aug 30 13:58:33 palace amavis[24224]: (24224-04-2) Passed, <linux-kernel-owner+heretic=40clanhk.org-S268219AbUH3Sww@vger.kernel.org> -> <heretic@clanhk.org>, Message-ID: <20040830181821.GQ19844@mea-ext.zmailer.org>, Hits: 0 Aug 30 13:58:33 palace postfix/lmtp[26081]: 10B2E239FFB: to=<heretic@clanhk.org>, relay=127.0.0.1[127.0.0.1], delay=3, status=sent (250 2.6.0 Ok, id=24224-04-2, from MTA: 250 Ok: queued as 9742923A044) Aug 30 13:58:33 palace postfix/qmgr[26069]: 10B2E239FFB: removed Aug 30 13:58:33 palace postfix/virtual[26085]: 9742923A044: to=<heretic@clanhk.org>, relay=virtual, delay=0, status=sent (delivered to maildir) Aug 30 13:58:33 palace postfix/qmgr[26069]: 9742923A044: removed The thing is, I'm not using auxprop anymore. I don't do anything with SQL in SASL, it's all PAM now right? cat /etc/sasl2/smtpd.conf # $Header: /home/cvsroot/gentoo-x86/net-mail/postfix/files/smtp.sasl,v 1.1 2003/09/24 05:08:51 max Exp $ pwcheck_method: saslauthd mech_list: LOGIN PLAIN DIGEST-MD5 CRAM-MD5 cat /etc/conf.d/saslauthd # $Header: /var/cvsroot/gentoo-x86/dev-libs/cyrus-sasl/files/saslauthd2.conf,v 1.3 2004/07/18 02:56:59 dragonheart Exp $ # Config file for /etc/init.d/saslauthd # Initial (empty) options. SASLAUTHD_OPTS="" # Specify the authentications mechanism. # *NOTE* For list see: saslauthd -v SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam -r" # Specify the hostname for remote IMAP server. # *NOTE* Only needed if rimap auth mech is used. #SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O localhost" # Specify the number of worker processes to create. #SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -n 5" # Enable credential cache, cache size, and timeout. # *NOTE* Size is measured in kilobytes # Timeout is measured in seconds #SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -c -s 128 -t 30" cat /etc/pam.d/saslauthd #%PAM-1.0 auth required pam_nologin.so auth required pam_mysql.so host=localhost db=postfix user=postfix \ passwd=something table=users usercolumn=username passwdcolumn=password crypt=1 where=active=1 account required pam_mysql.so host=localhost db=postfix user=postfix \ passwd=something table=users usercolumn=username passwdcolumn=password crypt=1 where=active=1 session required pam_mysql.so host=localhost db=postfix user=postfix \ passwd=something table=users usercolumn=username passwdcolumn=password crypt=1 where=active=1 It never hits MySQL though, no queries are ever made when someone tries to authenticate through SMTP. This might be an unrelated problem, but unencrypted IMAP authentication stopped working as well. imapd-ssl however never stopped working. I tried pretty much every version of courier-imap from 3.0.2 to 3.0.7 and they all broke. This worked before I tried to use pam_mysql and I'm horribly confused as to why imapd just stopped authenticating yet imapd-ssl works still. I was going to rimap with saslauthd, but it would work because imapd auth stopped working. I actually didn't notice until I tried to check webmail which is what I used unencrypted IMAP for. If I could get either SASL or IMAP auth to work, I'd be ok. Can you "rimaps"? Like, remote IMAP across SSL through SASL? If that worked, I'd also be OK. I'm trying to see if I can't get SASL=>authdaemond passthru to work. The sasl errors in postfix really confuse me. I made sure all the process died off and it wasn't a hung process from an changed init.d script...
