Redmine + SVN + PAM_MYSQL = NOT Possible

Added by Daniel Varga about 9 years ago

Hello everyone,

I dag a little into this tutorial:
http://www.redmine.org/projects/redmine/wiki/HowTo_to_handle_SVN_repositories_creation_and_access_control_with_Redmine

This - in theory - describes how I could do what it's title sais. However based on the current code it's just not possible.

Redmine currently stores the passwords in this format:

 The hashed password is stored in the following form: SHA1(salt + SHA1(password))

This is from the app/model/user.rb file

The SQL script that generates the VIEW which is later on used for the authentication is:

CREATE OR REPLACE VIEW ssh_users as
select login as username, hashed_password as password
from users
where status = 1;

The configuration for pam-ssh-auth:

password sufficient pam_mysql.so \
verbose=1 \
user=redmine_pam \
passwd=redmine_pam_pass \
host=localhost \
db=redmine \
table=ssh_users \
usercolumn=username \
passwdcolumn=password crypt=4

crypt 4 means SSH1 encryption...

Reading from the pam_mysql module's source code the SQL script that checks the password looks like this:

err = pam_mysql_format_string(ctx, &query,
        (ctx->where == NULL ?
            "SELECT %[passwdcolumn] FROM %[table] WHERE %[usercolumn] = '%s'":
            "SELECT %[passwdcolumn] FROM %[table] WHERE %[usercolumn] = '%s' AND (%S)"),
                1, user, ctx->where); 

The lines which do the actual checking:

case 4: {
#ifdef HAVE_PAM_MYSQL_SHA1_DATA
                    char buf[41];
                    pam_mysql_sha1_data((unsigned char*)passwd, strlen(passwd),
                            buf);
                    vresult = strcmp(row[0], buf);
                    {
                        char *p = buf - 1;
                        while (*(++p)) *p = '\0';
                    }
#else
                    syslog(LOG_AUTHPRIV | LOG_ERR, PAM_MYSQL_LOG_PREFIX "non-crypt()ish SHA1 hash is not supported in this build.");
#endif
                }

This would result in an SQL script like: SELECT password FROM ssh_users WHERE username = 'username';
The desired SQL statement would be: SELECT SHA1) ) as `password` FROM ssh_users WHERE username = 'username'

This all means one thing: no matter what you do, there is just no way you can generate a config with which you can somehow get the "SHA1)" format...
It would require you to recompile pam_mysql module just to support redmine.

Any tips/workarounds on how to solve this problem?

Replies (7)

RE: Redmine + SVN + PAM_MYSQL = NOT Possible - Added by Daniel Varga about 9 years ago

For some reason the desired SQL statement didn't work out in my previous post.. so here it is again:

SELECT SHA1( CONCAT('password', SHA1(`salt`)) ) as `password` FROM `ssh_users` WHERE `username` = 'username'

RE: Redmine + SVN + PAM_MYSQL = NOT Possible - Added by Florent H. about 9 years ago

I have the same problem.
PAM reject my virtuals users' password but if I set myself the password as SHA1, everything is ok.

Did you solve it ?!

RE: Redmine + SVN + PAM_MYSQL = NOT Possible - Added by Daniel Varga about 9 years ago

Hello, no I was unable to solve the problem with the 1.2 version of redmine.
I rolled back to redmine 1.1...

Could you detail what you mean by:

but if I set myself the password as SHA1, everything is ok.

I might be interested...

RE: Redmine + SVN + PAM_MYSQL = NOT Possible - Added by Florent H. about 9 years ago

It does not seem to be a good solution.
(I have some trouble to answer yo tou on this forum...)

RE: Redmine + SVN + PAM_MYSQL = NOT Possible - Added by Florent H. about 9 years ago

Forum consider my response as spam, I have to export my response on one of my websites.

So read this.

cartman34.fr/_other/redmine-org_boards_2_topics_24383_01.html

PS: I can't post links, copy this link in your browser.

RE: Redmine + SVN + PAM_MYSQL = NOT Possible - Added by Axel dV almost 9 years ago

Hi guys,

same issue here and I fixed it. I've had to modify the pam_mysql source code and to add a crypt type. Initially the tutorial requires to set crypt=4. With my method you may now use crypt=5. This crypt type is dedicated to redmine. In order to use it, you must:

  1. apply the attached patch on pam_mysql.c using the "patch" command
  2. compile again pam_mysql: "make clean && make && make install"
  3. modify the MySQL ssh_users view running this SQL query:
    CREATE OR REPLACE VIEW ssh_users as
    select login as username, CONCAT(hashed_password, '|', salt) as password
    from users
    where status = 1;
    
  4. edit /etc/pam.d/sshd and set crypt=5 for the 3 blocks

Auth will now take the salt into account. For pam_mysql-0.7RC1 only.
Let me know whether it works

patch.txt Magnifier - pam_mysql.c patch for version pam_mysql-0.7RC1 (2.84 KB)

RE: Redmine + SVN + PAM_MYSQL = NOT Possible - Added by Eugenio Piasini over 8 years ago

Thanks mate, your patch did the trick.

Still working my way through the tutorial linked in the first post, but at least I managed to configure the mynsql nss/pam integration with redmine 1.3.1.

(1-7/7)