|
Name |
|
Date |
Size |
#Lines |
LOC |
| .. | | 03-May-2022 | - |
| autom4te.cache/ | H | 02-Oct-2014 | - | 53,649 | 46,762 |
| m4/ | H | 02-Oct-2014 | - | 9,083 | 8,162 |
| rpm/ | H | 02-Oct-2014 | - | 51 | 33 |
| src/ | H | 02-Oct-2014 | - | 1,306 | 982 |
| tests/ | H | 02-Oct-2014 | - | 136 | 99 |
| CHANGELOG | H A D | 02-Oct-2014 | 11.5 KiB | 295 | 202 |
| COPYRIGHT | H A D | 02-Oct-2014 | 965 | 22 | 16 |
| CREDITS | H A D | 02-Oct-2014 | 588 | 28 | 21 |
| Makefile.am | H A D | 02-Oct-2014 | 909 | 33 | 26 |
| Makefile.in | H A D | 02-Oct-2014 | 37.2 KiB | 984 | 873 |
| README | H A D | 02-Oct-2014 | 6.8 KiB | 171 | 135 |
| aclocal.m4 | H A D | 02-Oct-2014 | 47.4 KiB | 1,316 | 1,202 |
| autogen.sh | H A D | 02-Oct-2014 | 289 | 10 | 6 |
| compile | H A D | 02-Oct-2014 | 7.2 KiB | 348 | 258 |
| config.guess | H A D | 02-Oct-2014 | 44 KiB | 1,548 | 1,341 |
| config.h.in | H A D | 02-Oct-2014 | 2.2 KiB | 83 | 56 |
| config.sub | H A D | 02-Oct-2014 | 34.6 KiB | 1,783 | 1,645 |
| configure | H A D | 02-Oct-2014 | 445.7 KiB | 15,326 | 12,915 |
| configure.ac | H A D | 02-Oct-2014 | 3 KiB | 94 | 73 |
| depcomp | H A D | 02-Oct-2014 | 23 KiB | 792 | 502 |
| install-sh | H A D | 02-Oct-2014 | 13.7 KiB | 528 | 351 |
| ltmain.sh | H A D | 02-Oct-2014 | 278 KiB | 9,707 | 7,345 |
| missing | H A D | 02-Oct-2014 | 6.7 KiB | 216 | 143 |
| sample.sql | H A D | 02-Oct-2014 | 264 | 18 | 8 |
README
1pam_pgsql 0.7
2=============
3
4Introduction
5============
6
7This module provides support to authenticate against PostgreSQL
8tables for PAM-enabled appliations.
9
10This module is based in part on the FreeBSD pam_unix module, and
11the Debian pam_mysql module, but was written from scratch using
12the two as a reference.
13
14There is another pam_pgsql module, but the sources appear to have
15vanished, hence this module.
16
17Changes since last release
18==========================
19
20See the file CHANGELOG.
21
22Compilation & Installation
23==========================
24
25pam_pgsql is now autoconf'ed, thus, compiling should be a matter
26of:
27
28 $ ./configure
29 $ make
30 $ make install
31
32Or if you're using a git version, run this command before them all:
33
34 $ ./autogen.sh
35
36Compilation has been tested on Debian GNU/Linux, ArchLinux and FreeBSD 7.2
37
38On Debian, you will need the libpam0g-dev and postgresql-dev packages to compile.
39On FreeBSD you will have to install the postgresql/postgresql8*-client port.
40
41See authenticate.c and chpass.c for an example application that authenticates and change password using this module.
42
43This version only works with PostgreSQL versions 7.4 or newer.
44
45Configuration
46=============
47
48For the service you wish the module to be used, you need
49to edit the /etc/pam.d/<service> file or /etc/pam.conf, and
50add the relevant lines.
51
52For example:
53
54auth required pam_pgsql.so
55account required pam_pgsql.so
56password required pam_pgsql.so
57session required pam_pgsql.so
58
59Or:
60
61password required pam_cracklib.so
62password required pam_pgsql.so authtok
63
64Configure the database, and table the module should use with
65the configuration file /etc/pam_pgsql.conf. An example of
66this file:
67
68database = sysdb
69user = ljb
70table = account
71user_column = user_name
72pwd_column = user_password
73expired_column = acc_expired
74newtok_column = acc_new_pwreq
75debug = 1
76
77Note that for backwards compatibility with earlier versions, options specified
78in the configuration file can be supplied as module arguments as well. Module
79arguments will override the configuration file.
80
81From version 0.6 you can also use new style configuration (overrides legacy
82values).
83
84connect = dbname=sysdb user=ljb password=sth connect_timeout=15
85auth_query = select user_password from account where user_name = %u
86acct_query = select (acc_expired = 'y' OR acc_expired = '1'), (acc_new_pwreq = 'y' OR acc_new_pwreq = '1'), (user_password IS NULL OR user_password = '') from account where user_name = %u
87pwd_query = update account set user_password = %p where user_name = %u
88
89
90Configuration Options
91=====================
92
93 connect - the database connection string (see http://www.postgresql.org/docs/7.4/interactive/libpq.html#LIBPQ-CONNECT)
94 overrides other connection specific options
95 auth_query - authentication query (should return one column -- password)
96 overrides other authentication specific options
97 auth_succ_query - query to be executed after successful authentication
98 auth_fail_query - query to be executed after failed authentication
99 session_open_query - query to be executed on session start
100 session_close_query - query to be executed on session end
101
102 acct_query - account options query (should return 3 or 4 boolean columns -- expired, new password required and password is null, return PAM_PERM_DENIED (y/n))
103 overrides other account specific options
104 pwd_query - query to be executed for password changing
105 overrides other settings related to changing password
106
107You can use %u as username, %p as (new) password, %h for hostname of client
108as specified by PAM subsystem, %i for IP got by gethostbyname(%h) and %s as
109pa service name in any query. Please don't forget to specify pw_type as %p
110is replaced by password of pw_type form.
111
112Caution:
113If %h is unavailable but used, system substitutes it in query with
114NULL, but does not fail (you can fail it manually by using "%s is not null"
115somewhere in your query). If %i is used and gethostbyname() fails than:
116 (i) when rhost is empty or doesn't contain any periods ("."), %i is
117replaced with NULL
118 (ii) in any other case pam_pgsql return PAM_AUTH_ERR.
119
120 database - the database which should be connected to
121 table - the table containing the authentication data
122 host - the host database server is running on (leave empty for socket)
123 port - the port database server is running on (leave empty for socket)
124 user - the username used when connecting to PostgreSQL
125 password - the password for the user specified
126 user_column - the column containing usernames
127 pwd_column - the column containing the passwords
128 expired_column - this column should contain '1' or 'y' if the account
129 has expired, bool type is OK
130 newtok_column - this column should contain '1' or 'y' if the user
131 needs to change their password, bool type is OK
132 debug - this is a standard module option that will enable
133 debug output to syslog (takes no values)
134 pw_type - specifies the password encryption scheme, can be one
135 of 'clear', 'md5', 'sha1', 'crypt', 'crypt_md5', or
136 'md5_postgres'. The difference between 'md5' and
137 'crypt_md5' is that 'md5' uses libmhash for hashing
138 while 'crypt_md5' uses crypt() with a special salt to
139 select md5 hashing instead of DES. if one of 'crypt'
140 or 'crypt_md5' is specified, passwords always are
141 encrypted in the respective format. however,
142 passwords in both formats may be stored in the
143 database, just as with /etc/(passwd|shadow).
144 defaults to 'clear'.
145 'md5_postgres' uses the postgres default internal
146 algorithm where hash is md5||md5(password+login). This
147 is usefull for authenticating against postgres users
148 created by the createuser postgres command.
149 config_file - alternative location of configuration file - it should be
150 specified as module argument.
151 timeout - if specified pam-pgsql will wait for timeout
152 seconds before giving up on db connection
153
154There are also additional flags you can use:
155 authtok - see "use_first_pass"
156 use_first_pass - require authtok from previous entry in PAM stack
157 (useful for "password required pam_pgsql.so authtok")
158 after "password required pam_cracklib.so ..."
159 try_first_pass - same as previous, but doesn't fail if previous
160 module failed to provide us with password
161 echo_pass - displays password while being typed
162
163Example to autenticate against postgres users
164=============================================
165database = postgres
166user = postgres
167table = pg_catalog.pg_shadow
168user_column = usename
169pwd_column = passwd
170pw_type=md5_postgres
171