Authentification avec Pam-MySQL

Le but de cette documentation est de mettre en place une authentification SSH, FTP et PHP au travers d'une base de données MySQL. Pour cela nous allons utiliser la technologie PAM.

# mysql -u root -p 

  create database nss_mysql;
 
  USE nss_mysql;
 
  DROP TABLE IF EXISTS groups;
 
  CREATE TABLE groups (
    group_id int(11) NOT NULL auto_increment primary key,
    group_name varchar(30) DEFAULT '' NOT NULL,
    status        char(1) DEFAULT 'A',
    group_password varchar(64) DEFAULT 'x' NOT NULL,
    gid int(11) NOT NULL
  );                                    
 
  INSERT INTO groups VALUES (1,'users','A','x',100);
 
  DROP TABLE IF EXISTS user;
 
  CREATE TABLE user (
    user_id int(11) NOT NULL auto_increment primary key,
    user_name varchar(50) DEFAULT '' NOT NULL,
    realname varchar(32) DEFAULT '' NOT NULL,
    shell varchar(20) DEFAULT '/bin/sh' NOT NULL,
    password varchar(40) DEFAULT '' NOT NULL,
    status char(1) DEFAULT 'N' NOT NULL,
    uid int(11) NOT NULL,
    gid int(11) DEFAULT '65534' NOT NULL,
    homedir varchar(32) DEFAULT '/bin/sh' NOT NULL,
    lastchange varchar(50) NOT NULL default '',
    min int(11) NOT NULL default '0',
    max int(11) NOT NULL default '0',
    warn int(11) NOT NULL default '7',
    inact int(11) NOT NULL default '-1',
    expire int(11) NOT NULL default '-1'                           
  );
 
  DROP TABLE IF EXISTS user_group;
 
  CREATE TABLE user_group (
    user_id int(11) DEFAULT '0' NOT NULL,
    group_id int(11) DEFAULT '0' NOT NULL
  );
 
  GRANT select(user_name,user_id,uid,gid,realname,shell,homedir,status,password) on user to nss@localhost identified by 'ieopurASDF';
  GRANT select(group_name,group_id,gid,group_password,status) on groups to nss@localhost identified by 'ieopurASDF';
  GRANT select(user_id,group_id) on user_group to nss@localhost identified by 'ieopurASDF';
  GRANT select(user_name,password,user_id,uid,gid,realname,shell,homedir,status,lastchange,min,max,warn,inact,expire) on user to 'nss-shadow'@localhost identified by 'ruASDFDER';
  GRANT update(user_name,password,user_id,uid,gid,realname,shell,homedir,status,lastchange,min,max,warn,inact,expire) on user to 'nss-shadow'@localhost identified by 'ruASDFDER';
  FLUSH PRIVILEGES;

# apt-get install libpam-mysql libnss-mysql

Modifier les lignes suivantes comme suit :

  passwd:	compat mysql
  group:	compat mysql
  shadow:	compat mysql

Remplir la ligne avec le mot de passe défini lors de la création de la base :

  users.db_password = ieopurASDF;

Remplir la ligne avec le mot de passe défini lors de la création de la base :

  shadow.db_password = ruASDFDER;

chmod 600 /etc/nss-mysql-root.conf

Les fichiers sont dans le répertoire /etc/pam.d.

  #account        required        pam_unix.so
  account sufficient      pam_unix.so
  account required        pam_mysql.so user=nss passwd=ieopurASDF db=nss_mysql table=user usercolumn=user.user_name

  #auth   required        pam_unix.so nullok_secure
  auth    sufficient        pam_unix.so nullok_secure
  auth    required        pam_mysql.so user=nss-shadow passwd=ruASDFDER db=nss_mysql table=user usercolumn=user.user_name passwdcolumn=password crypt=1

  #password   required   pam_unix.so nullok obscure md5
  password   sufficient   pam_unix.so nullok obscure min=5 max=12 md5
  password    required      pam_mysql.so nullok user=nss-shadow passwd=ruASDFDER db=nss_mysql table=user usercolumn=user.user_name passwdcolumn=password crypt=1

</code vim>

#session        required        pam_unix.so
session sufficient      pam_unix.so
session required        pam_mysql.so user=nss passwd=ieopurASDF db=nss_mysql table=user usercolumn=user.user_name

</code>

  #session        required        pam_unix.so
  session sufficient      pam_unix.so
  session required        pam_mysql.so user=nss passwd=ieopurASDF db=nss_mysql table=user usercolumn=user.user_name

# mysql -u root -p

  INSERT INTO nss_mysql.groups VALUES (100,'spencer','A','x',1000);
  INSERT INTO nss_mysql.user VALUES (100,'spencer','Spencer Stirling','/bin/bash','','A',1000,1000,'/home/spencer', '041406', '', '','', '', '');
  INSERT INTO nss_mysql.user_group VALUES (100,100);
  INSERT INTO nss_mysql.user_group VALUES (100,1);

Pour cela on utilise la commande classique passwd

# passwd spencer

# cp -ax /etc/skel /home/spencer
# chown -R spencer:spencer /home/spencer

Voilà le compte est maintenant utilisable pour se connecter en SSH sur le serveur.

Pour utiliser PAM avec Proftpd, il faut modifier le fichier de configuration de Proftpd comme suit :

  # Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
  PersistentPasswd                off
 
  # This is required to use both PAM-based authentication and local passwords
  AuthOrder                       mod_auth_pam.c* mod_auth_unix.c
 
  AuthPAM on
  AuthPAMConfig   proftpd

Relancer le proftpd, et maintenant vous pouvez vous connecter en FTP avec les utilisateurs présents dans la base de données.

# apt-get install libapache2-mod-auth-pam

  <Directory /var/www/myrestrictedarea>
    AuthType Basic
    AuthName "Restricted area for My Server"
    AuthPAM_Enabled On
    Require group mygroup
  </Directory>

Puis relancer Apache

# apt-get install php5-auth-pam

Copier ensuite le fichier

# cp /usr/share/doc/php5-auth-pam/examples/php /etc/pam.d/

  <HTML>
  <?
  $username = $_POST['Login'];
  $password = $_POST['Password'];
  if (pam_auth($username, $password, &$error))
  {
          echo "Yeah baby, we're authenticated!";
  }
  else
  {
          echo "Error : $error";
  }
  ?>
  </HTML>