From owner-freebsd-security Fri Mar 2 20:41:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsat.halenet.com.au (temp24.halenet.com.au [203.37.141.124]) by hub.freebsd.org (Postfix) with ESMTP id D5AE637B719 for ; Fri, 2 Mar 2001 20:41:24 -0800 (PST) (envelope-from timbo@halenet.com.au) Received: (from root@localhost) by mailsat.halenet.com.au (8.11.1/8.11.1) id f234pEr64097 for freebsd-security@freebsd.org; Sat, 3 Mar 2001 14:51:14 +1000 (EST) (envelope-from timbo@halenet.com.au) Received: from temp19 (modem-108-st.halenet.com.au [203.55.33.108]) by mailsat.halenet.com.au (8.11.1/8.11.1av) with SMTP id f234pAk64089 for ; Sat, 3 Mar 2001 14:51:12 +1000 (EST) (envelope-from timbo@halenet.com.au) Message-ID: <01f401c0a39c$85f92fe0$6500a8c0@halenet.com.au> From: "Tim McCullagh" To: Subject: Pam_radius readme Date: Sat, 3 Mar 2001 14:43:39 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All, Can anyone tell me whether I am reading this incorrectly. In the Pam_mysql readme below. The sample config shows the username and password in plain text. How would I best make this much more secure in my /etc/pam.conf. If I enter this as the example shows, then if I am reading this correctly, all anyone will need to do is read my pam.conf to get access to this machine and any databases that may be specified. My /etc/pam.conf file permissions are 644. Is this incorrect? Can anyone give me some direction on how to best tighten any security, that would enable me to use the pam_mysql-4.7 port from where this readme has been copied Any links to directions how to set up PAM would also be appreciated Thanks for your input Tim PAM MYSQL README Pam_Mysql Version 0.4.5 To try this, you need PAM to already be installed and working and have a MySQL server up and running as well. I typically copy the pam_mysql.so to /lib/security and make the proper changes to /etc/pam.d/ and /etc/pam.conf An example of a config file: auth optional pam_mysql.so user=root passwd=password account required pam_mysql.so user=root passwd=password The options that it understands are: Defaults are in () user(nobody) -- The user with access to the open the connection to mysql and has permission to read the table with the passwords. passwd("") -- Password for the same. host(localhost) -- Machine that is running the sql server db(mysql) -- database that contents the table with the user/password combos table(user) -- table that you want to use for the user/password checking usercolumn(User) -- column that has the username field passwdcolumn(password) -- column that has the password field crypt(0) -- Used to decide to use MySQL's PASSWORD() function or crypt() 0 = No encryption. Passwords in database in plaintext. NOT recommended! 1 = Use crypt 2 = Use MySQL PASSWORD() function where("") -- Used to specify additional criteria for the query. For example; where=enabled=1 Note, the where can NOT contain any spaces in this release and currently, only number columns appear to work. Both these problems will be investigated in due course :) BUGS Users names and passwords are logged in the clear to mysql.log if you log select statements... Current solution, don't log select statements. (Not sure why you'd want to anyway, slogs your system down badly!) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message