1

Topic: Use punbb user records with pam

Yo!

I'm trying to figure out how to use the user information from punbb to give my users ftp access.

auth required pam_mysql.so user=vsftpd passwd=ftpdpass host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=0
account required pam_mysql.so user=vsftpd passwd=ftpdpass host=localhost db=vsftpd table=accounts usercolumn=username passwdcolumn=pass crypt=0

The example pam configuration just fetches the user info from the database and uses plain passwords as configuration. You can also use shaX and md5 from the documentation I read so far.

The problem is that punbb stores salt in the user table, so for pam to be able to compare the passwords it needs to hash the user inputed password with the salt before comparing it to the password stored in the user table.

I wonder have anyone achieved to do this yet? Are there any other practical solutions for this? I could ofc write together a extension that stores an individual ftp password but it would really be sleak with the same password wink

2

Re: Use punbb user records with pam

I solved my problem.

I changed to pure-ftpd instead which have support for custom authentication modules. So I wrote a small script in python (easy to make in php aswell) that access my punbb installation and validate the user.

Go to Pure-ftpd Docs Authentication modules to read how this works and how to start pure-ftpd with the module.

Here is a simple example I managed to put together so far, you can make it more extensible by adding columns for own user directories, throttling, user size quota etc in database and then write an punbb extension to edit the settings with.

(do notice that this script is very simple and doesn't sanitize user input from ftp client!)

#!/usr/bin/python

import MySQLdb
import os
import hashlib

# Create connection to forum database
conn = MySQLdb.connect(
    host = "localhost",
    user = "dbuser",
    passwd = "dbpassword",
    db = "database")

# Create cursor
cursor = conn.cursor()

# Get userinformation
cursor.execute(
    "SELECT username, password, salt from punbb_users WHERE username = '"
    + os.getenv("AUTHD_ACCOUNT"))

# Fetch one row
row = cursor.fetchone()

# Make sure we got a row
if row != None:
    # Create hasher
    hashed_pwd = hashlib.sha1(os.getenv("AUTHD_PASSWORD")).hexdigest()
    hashed_pwd = hashlib.sha1(row[2] + hashed_pwd).hexdigest()

    if hashed_pwd == row[1]:
        # Logg in user
         print 'auth_ok:1'
         print 'uid:33'
         print 'gid:33'
         print 'dir:/var/www/public.hostname.com'
    else:
        # Password didn't match
        print 'auth_ok:0'
else:
    # Username not found
    print 'auth_ok:0'
print 'end'

cursor.close ()
conn.close ()

3

Re: Use punbb user records with pam

To sanitize just change in the code to following:

# Get userinformation
cursor.execute(
    "SELECT username, password, salt from punbb_users WHERE username = '"
    + MySQLdb.escape(os.getenv("AUTHD_ACCOUNT")))

Enjoy!

Re: Use punbb user records with pam

Thanks for this hack!

5

Re: Use punbb user records with pam

Thanks for the forum software wink