Date: Sat, 3 Mar 2001 14:43:39 +1000 From: "Tim McCullagh" <timbo@halenet.com.au> To: <freebsd-security@freebsd.org> Subject: Pam_radius readme Message-ID: <01f401c0a39c$85f92fe0$6500a8c0@halenet.com.au>
next in thread | raw e-mail | index | archive | help
Hi All,
Can anyone tell me whether I am reading this incorrectly. In the Pam_mysql
readme below. The sample config shows the username and password in plain
text. How would I best make this much more secure in my /etc/pam.conf. If
I enter this as the example shows, then if I am reading this correctly, all
anyone will need to do is read my pam.conf to get access to this machine and
any databases that may be specified. My /etc/pam.conf file permissions
are 644. Is this incorrect?
Can anyone give me some direction on how to best tighten any security, that
would enable me to use the pam_mysql-4.7 port from where this readme has
been copied
Any links to directions how to set up PAM would also be appreciated
Thanks for your input
Tim
PAM MYSQL README
Pam_Mysql Version 0.4.5
To try this, you need PAM to already be installed and working and have a
MySQL server up and running as well. I typically copy the pam_mysql.so to
/lib/security and make the proper changes to /etc/pam.d/ and /etc/pam.conf
An example of a config file:
auth optional pam_mysql.so user=root passwd=password
account required pam_mysql.so user=root passwd=password
The options that it understands are: Defaults are in ()
user(nobody) -- The user with access to the open the connection to mysql
and has permission to read the table with the passwords.
passwd("") -- Password for the same.
host(localhost) -- Machine that is running the sql server
db(mysql) -- database that contents the table with the user/password
combos
table(user) -- table that you want to use for the user/password checking
usercolumn(User) -- column that has the username field
passwdcolumn(password) -- column that has the password field
crypt(0) -- Used to decide to use MySQL's PASSWORD() function or crypt()
0 = No encryption. Passwords in database in plaintext. NOT
recommended!
1 = Use crypt
2 = Use MySQL PASSWORD() function
where("") -- Used to specify additional criteria for the query. For example;
where=enabled=1
Note, the where can NOT contain any spaces in this release and
currently, only number columns appear to work. Both these problems
will be investigated in due course :)
BUGS
Users names and passwords are logged in the clear to mysql.log if you log
select statements... Current solution, don't log select statements. (Not
sure why you'd want to anyway, slogs your system down badly!)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01f401c0a39c$85f92fe0$6500a8c0>