Hi,
I would like to propose a patch that authenticates users in a
mysql database without the use of nss-mysql or pam-mysql.
I have a working patch, such that in case of a failure in getpwnam()
it searchs for the user in a mysql database and fills his pw password
struct. Although my actual patch uses pam-mysql to authenticate, I think it
would be better if all authentication is builtin openssh, eliminating
entirely the use of pam or nss (which I dont trust).
Such patch could be extended to other databases or ldap, depending on
the users choice at compile time. Parameters would be read from sshd_config.
It could even have some flag that tells to chroot the user to a specific
jail.
Please, tell me what your opinions are and the possibility to accept
this patch. IMHO it would be a nice addition with few code lines, useful
especially for access or hosting providers (like myself) that must supply
its clients a form of managing his account without having to maintain
thousands of entries in files.
Thanks for your time, warm regards
On Thu, Jun 05, 2003 at 11:36:23AM -0300, Andr? Lu?s Quintaes Guimar?es wrote:> I think it > would be better if all authentication is builtin openssh, eliminating > entirely the use of pam or nss (which I dont trust).I don't think this will even happen. It makes no sense to copy this code into OpenSSH. If the system is broken, the system should be fixed, not OpenSSH.
Andr? Lu?s Quintaes Guimar?es wrote:> Hi, > I would like to propose a patch that authenticates users in a > mysql database without the use of nss-mysql or pam-mysql.Thanks, but such a patch is unlikely to be accepted. For a start, MySQL's LGPL license is contrary to our goal of having BSD or similar licenses on everything in OpenSSH. I don't think that per-application patches are the best way to integrate alternate user lookup / authentication systems. Also, if we were to accept a ssh-mysql patch then we would probably have to accept a ssh-pgsql and a ssh-sapdb and maybe a ssh-oracle patch. This leads to an explosion of optional code which reduces security and undermines our ability to properly test the software. (we already have too many options in our code IMO)> I have a working patch, such that in case of a failure in getpwnam() > it searchs for the user in a mysql database and fills his pw password > struct. Although my actual patch uses pam-mysql to authenticate, I think it > would be better if all authentication is builtin openssh, eliminating > entirely the use of pam or nss (which I dont trust).... and yet you trust MySQL? My opinions of PAM and NSS are pretty poor, but at least the developers of those are highly focused on security. I don't recall many recent security bugs in either of these, but several issues with MySQL. -d