encryption, fedora, linux, mysql, website building

Using pam_mysql for authentication

On the occasion of moving the server to amazon, I decided to stop using LDAP. I was making very little use of it, having started to keep my contacts elsewhere. All it was really doing was providing the authentication file for apache logins. And there were so few of those it was quite easy to manage with an htpasswd file.

But recently I’ve begun providing mail to some friends, and while I am happy to provide them with system accounts the problem is that they don’t really WANT system accounts – they just want mail. So the husband asked me, how do I change my password? And the only answer I have is, you have to log on. Worse than that of course, I can’t really even allow him to log on without making him set up for public key authentication.

I would like to enable people to use the server for mail, and to be able to authenticate with apache, and I would like them to manage their own passwords for this, without making them log on via ssh, which would require that they have a key pair registered with me. I looked into being able to change the system password via a webpage, but it looks very messy, and seriously – system passwords are supposed to require a human being – that is intentional.

So I looked into authenticating the mail, and apache, using a database. I found a pam module called pam_mysql which I can use with saslauthd. I set /etc/pam.d/imap and smtp to point to a new pam entry called mail, which uses pam.mysql to autheticate against the database (and still also authenticate against system accounts as well if there is no entry in the database).

Then I set up to make this work with apache as well. For that I used the apache mod_authn_dbd module, which will authenticate against a mysql datatbase. However,  there turns out to be a problem here. I couldn’t figure out a single method of storing a password which would work for both apache and pam-mysql. Not even plain text (which apache won’t accept). They both offer MD5 and SHA1 but the algorithms are different. In the end I decided to just have separate fields in the database for the mail password and the apache password. There will be a webpage where users manage their passwords, and it can simply store correctly formatted passwords in both fields.

This is only part of the battle. I have to change postfix, which I haven’t done yet, so it can deliver to non-system accounts. And I have to build the webpage for users to use to manage things. But this was a big step.