Redmine + SVN + PAM_MYSQL = NOT Possible
Added by Daniel Varga over 13 years ago
Hello everyone,
I dag a little into this tutorial:
http://www.redmine.org/projects/redmine/wiki/HowTo_to_handle_SVN_repositories_creation_and_access_control_with_Redmine
This - in theory - describes how I could do what it's title sais. However based on the current code it's just not possible.
Redmine currently stores the passwords in this format:
The hashed password is stored in the following form: SHA1(salt + SHA1(password))
This is from the app/model/user.rb file
The SQL script that generates the VIEW which is later on used for the authentication is:
CREATE OR REPLACE VIEW ssh_users as select login as username, hashed_password as password from users where status = 1;
The configuration for pam-ssh-auth:
password sufficient pam_mysql.so \ verbose=1 \ user=redmine_pam \ passwd=redmine_pam_pass \ host=localhost \ db=redmine \ table=ssh_users \ usercolumn=username \ passwdcolumn=password crypt=4
crypt 4 means SSH1 encryption...
Reading from the pam_mysql module's source code the SQL script that checks the password looks like this:
err = pam_mysql_format_string(ctx, &query, (ctx->where == NULL ? "SELECT %[passwdcolumn] FROM %[table] WHERE %[usercolumn] = '%s'": "SELECT %[passwdcolumn] FROM %[table] WHERE %[usercolumn] = '%s' AND (%S)"), 1, user, ctx->where);
The lines which do the actual checking:
case 4: { #ifdef HAVE_PAM_MYSQL_SHA1_DATA char buf[41]; pam_mysql_sha1_data((unsigned char*)passwd, strlen(passwd), buf); vresult = strcmp(row[0], buf); { char *p = buf - 1; while (*(++p)) *p = '\0'; } #else syslog(LOG_AUTHPRIV | LOG_ERR, PAM_MYSQL_LOG_PREFIX "non-crypt()ish SHA1 hash is not supported in this build."); #endif }
This would result in an SQL script like: SELECT password FROM ssh_users WHERE username = 'username';
The desired SQL statement would be: SELECT SHA1) ) as `password` FROM ssh_users WHERE username = 'username'
This all means one thing: no matter what you do, there is just no way you can generate a config with which you can somehow get the "SHA1)" format...
It would require you to recompile pam_mysql module just to support redmine.
Any tips/workarounds on how to solve this problem?
Replies (7)
RE: Redmine + SVN + PAM_MYSQL = NOT Possible - Added by Daniel Varga over 13 years ago
For some reason the desired SQL statement didn't work out in my previous post.. so here it is again:
SELECT SHA1( CONCAT('password', SHA1(`salt`)) ) as `password` FROM `ssh_users` WHERE `username` = 'username'
RE: Redmine + SVN + PAM_MYSQL = NOT Possible - Added by Florent H. over 13 years ago
I have the same problem.
PAM reject my virtuals users' password but if I set myself the password as SHA1, everything is ok.
Did you solve it ?!
RE: Redmine + SVN + PAM_MYSQL = NOT Possible - Added by Daniel Varga over 13 years ago
Hello, no I was unable to solve the problem with the 1.2 version of redmine.
I rolled back to redmine 1.1...
Could you detail what you mean by:
but if I set myself the password as SHA1, everything is ok.
I might be interested...
RE: Redmine + SVN + PAM_MYSQL = NOT Possible - Added by Florent H. over 13 years ago
It does not seem to be a good solution.
(I have some trouble to answer yo tou on this forum...)
RE: Redmine + SVN + PAM_MYSQL = NOT Possible - Added by Florent H. over 13 years ago
Forum consider my response as spam, I have to export my response on one of my websites.
So read this.
cartman34.fr/_other/redmine-org_boards_2_topics_24383_01.html
PS: I can't post links, copy this link in your browser.
RE: Redmine + SVN + PAM_MYSQL = NOT Possible - Added by Axel dV over 13 years ago
Hi guys,
same issue here and I fixed it. I've had to modify the pam_mysql source code and to add a crypt type. Initially the tutorial requires to set crypt=4. With my method you may now use crypt=5. This crypt type is dedicated to redmine. In order to use it, you must:
- apply the attached patch on pam_mysql.c using the "patch" command
- compile again pam_mysql: "make clean && make && make install"
- modify the MySQL ssh_users view running this SQL query:
CREATE OR REPLACE VIEW ssh_users as select login as username, CONCAT(hashed_password, '|', salt) as password from users where status = 1;
- edit /etc/pam.d/sshd and set crypt=5 for the 3 blocks
Auth will now take the salt into account. For pam_mysql-0.7RC1 only.
Let me know whether it works
RE: Redmine + SVN + PAM_MYSQL = NOT Possible - Added by Eugenio Piasini almost 13 years ago
Thanks mate, your patch did the trick.
Still working my way through the tutorial linked in the first post, but at least I managed to configure the mynsql nss/pam integration with redmine 1.3.1.