On 16/04/10 17:48 -0600, Barneck, Jared wrote:
My goal is to have Subversion and Bugzilla share the same users by
pointing Subversion to Cyrus-SASL and pointing Cyrus-SASL at the
bugzilla database. I have spent enough time searching the internet,
reading the manuals, and reading posts to know that there isn't a simple
answer to this in a doc.
I have Cyrus-Sasl successfully using a database if the password field is
clear text. Subversion is successfully configured to use Cyrus-SASL and
authentication works with this Cyrus-SASL config.
However, Bugzilla creates an SHA256 hash as well as appends two strings:
1. It salts the password before hashing. (I am still researching this)
2. It appends the following string to the stored hash: {SHA256}
Is there a way to make Cyrus-SASL use the MD5, SHA1, or SHA256 hash
instead of clear text?
(In this case it is SHA256)
For password based authentication, Cyrus prefers to have access to the
shared secret itself, otherwise it needs to make use of a password
verification service, such as saslauthd. It does not directly access hashes
of passwords (there is a patch that allows for md5 hashes in an auxprop
store).
# svn.conf.ClearTextDatabasePassword
log_level: 7
pwcheck_method: auxprop
mech_list: plain sha1
auxprop_plugin: sql
sql_hostnames: localhost
sql_engine: mysql
sql_user: root
sql_passwd: pw
sql_database: UserDB
sql_select: SELECT password FROM users WHERE username='%u'
'sha1' is not a valid mechanism.
I have been through the documentation and I thought maybe it was sql_mda
but that didn't work when I added this line:
sql_mda=sha1
sql_mda does not appear to be a valid sasl option.
So the password is going to be passed in clear text to Cyrus-SASL. The
database is going to return a SHA256 hash of the password with this
string appended to it: {SHA-256}
So the password, I assume, does a string compare. Such a compare is
currently going to look like this, which obviously doesn't work:
ClearTextPassword ==
oToF0zutirqQXF6BbuAPljJkGaupY5KhHjGPPB8qC9QPkWOEcs0{SHA-256}
I am fuzzy on who compares the password strings: Cyrus-SASL or
Subversion. It seems to me that Cyrus-SASL does.
Right, and when using pw_check_method: auxprop, that's not going to work.
So I need Cyrus-SASL to
1) obtain the salt
2) hash the password + salt
3) append the string {SHA-256}
1. Does Cyrus-SASL or Subversion handle the password comparison?
Typically this is done by way of saslauthd:
Set 'pw_check_method: saslauthd'
Start saslauthd with a '-a pam' option, which directs saslauthd to submit
the password to pam for verification.
The pam_unix module usually performs the crypt/md5/sha hashing to compare
with the provided password. See man pam_unix(8) for more information.
However, it doesn't appear to use the same format as bugzilla.
Two approaches come to mind:
1) Configure bugzilla to authenticate to PAM, and maintain your user
credentials externally to bugzilla.
2) Configure an nss mysql backend and use some mysql function or view to
reformat the sha-256 string that bugzilla uses into a format that pam_unix
can use (or maybe use crypt instead).
--
Dan White