The pam_kmux-Module to change passwords in multiple databases.
0.1
- Date:
- 2009-11-12
ToC
What is pam_kmux ?
pam_kmux is a pam-module that allows to change user-passwords in multiple databases. This is useful if you have several applications which store passwords by themselves in their own databases. If you want to keep the passwords in sync you only need to configure the application backends in the pam_kmux-configuration file. If a person now wants to change its password, it will be changed in all configured backends with the specified hashes.
Quick Install.
make all
Build the module - be sure that the libraries of postgres, firebird, mysql, pam, libconfuse and crypt are installed. They are required to build the module.make install
Copy the module to /lib/security and the sample configuration file pam_kmux.conf to /etc
Limitations.
- pam_kmux till now only supports the changing of passwords in several databases. Authentication against backends is only used for prelimiary checks (ping remote name services to see if they are ready for updates, for example).
Options.
debug
if this option (without value) is given, most actions are logged via syslogconffile=<path2conffile>
if this options (with value) is given, the specified path will be used to load the configuration file instead of the default one /etc/pam_kmux.conf.
Configuration file.
Explanation
# $Id$ # pam_kmux configuration explanation # <database-entry-name>: This option is only used to make the configuration of several # database-connections more clear. database <database-entry-name> { type = "mysql" | "postgres" | "firebird" # connection related options. connection { # <database-name>: This options specifies the name of your database - if you # use a firebird database this option should contain the path to your fdb-file. database_name = <database-name> # <host>: This option specifies the database-host. It can be setted to the hostname or the # host ip. host = <host> # <port>: This option specifies the database port. This options is till now only recognized by the # database types mysql and postgres. port = <database-port> # <user>: The database user for database-logon. user = <database-user> # <password>: The database user-password for database-logon. password = <password> # <timeout>: The database-connection-timeout. This option is till now only recognized by the database # types mysql and postgres. timeout = <timeout in sec> } # table related options. table { # <table_name>: The table which contains password- and user-column. table_name = <table-name> # <password-column>: The password-column in the specified table. column_password = <password-column> # <user-column>: The user-column in the specified table. column_user = <user-column> } # password related options. password { # the option type is used to hashify the new user-password with the specified type before putting it into # database and can be one of following: # # clear: Cleartext password. # t9: Use text on 9 keys algorithm. # md5: Creates an md5 hash. # t9_md5: First hashify password with t9, then with md5. # crypt: Makesalt - use an automatically generated hash to hashify password. # crypt_md5: The same as crypt but password looks like an md5 hash. # sha1: Secure Hash Algorithm. type = "clear" | "t9" | "md5" | "t9_md5" | "crypt" | "crypt_md5" | "sha1" # the queries which will be executed on the databases to get and to set passwords. The get-query is needed # for prelimiary-backend-authentication and the set query to update password. # you can set variables with several reserved words which will be declared in the following: # %u: User who wants to change password. # %p: Hashified user password. # %s: Pam-service-name. # %c: Value of column_password. # %o: Value of column_user. # %t: Value of table_name. # %h: Contains PAM_RHOST. # %i: Contains address of PAM_RHOST. query_get = <password-get-query> query_set = <password-set-query> } }
Sample-configuration-file
# $Id$ # pam_kmux configuration database kmux_mysql { type = "mysql" connection { database_name = "kmux_testdb" host = "localhost" port = "3306" user = "kmux.admin" password = "kmux.admin" timeout = "30" } table { table_name = "tab_user" column_password = "passwd0" column_user = "username" } password { type = "t9" query_get = "select %c from %t where %o = %u" query_set = "update %t set %c = %p where %o = %u" } } database kmux_pgsql { type = "postgres" connection { database_name = "kmux_testdb" host = "localhost" port = "5432" user = "kmux.admin" password = "kmux.admin" timeout = "30" } table { table_name = "tab_user" column_password = "passwd0" column_user = "username" } password { type = "sha1" query_get = "select %c from %t where %o = %u" query_set = "update %t set %c = %p where %o = %u" } } database kmux_firebird { type = "firebird" connection { database_name = "/opt/firebird/kmux_testdb.fdb" host = "localhost" port = "3050" user = "kmux.admin" password = "kmux.admin" timeout = "30" } table { table_name = "tab_user" column_password = "passwd0" column_user = "username" } password { type = "t9_md5" query_get = "select %c from %t where %o = %u" query_set = "update %t set %c = %p where %o = %u" } }
Sample-pam-configuration
# $Id$ # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be #used to change user passwords. The default is pam_unix password required pam_ldap.so password sufficient pam_kmux.so conffile=/etc/pam_kmux.conf debug use_first_pass password sufficient pam_unix.so use_first_pass nullok obscure min=4 max=8 md5 password required pam_deny.so
