1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
MySQL authentication Module. (authlibmysql) Version 0.1
This module allows muddleftpd 1.3.4 and above authenticate using a MySQL
server. This module will read client information from a supplied
table/database within MySQL. It does not modify any data on the server. It
supports:
* Password encryption: Passwords can be encrypted on the MySQL
server in either plaintext (no encryption), crypt based, or the
portable mysql password format.
* Support for custom SELECT query strings. This allows tremendous
flexibility for choosing the structure of the tables muddleftpd
retreive data from.
DEPENDANCIES:
MySQL 3.22.32 or better. This module may compile and work on earlier
versions, but it hasn't been tested for any older version.
Unless you specify a custom query for authlibmysql to perform, the table
containing user data must have the following fields, with these names:
username The username
password The password for the username
homedir The home directory for the user.
rootdir The root directory for the user.
uid The uid of the user.
gid The gid of the user.
BUILDING:
To build, execute the following in the authlibmysql source directory:
./configure [--with-mysql=<mysqldir>]
make
Or simply build it with the rest of muddleftpd, add --with-authmysql to
the configuration options of that configure script.
When you have run make, the file libauthmysql.so can be copied to the
directory you wish to store muddleftpd modules in. This directory must be
secure, so users cannot overwrite the module with a cracked version.
By default it is put into @prefix@/lib from configure, if you dont set
prefix this is /usr/local/lib/muddleftpd.
USAGE:
In the groups that you wish authlibmysql to authenticate, you need to use
the following to tell muddleftpd to use the authlibmysql module, replacing the
directory here with the directory the authentication module is stored in:
(If unsure a locate libauthmysql.so may help).
authmethod /usr/local/lib/muddleftpd/libauthmysql.so
To configure authlibmysql, the following directives have been added. You must
specify these in the group section that is being configured.
mysql_host <hostname>
This specifies the host the MySQL server is located on. If you do
not specify this value, authlibmysql will assume the host is
'localhost'. (the same computer as the ftp server)
mysql_port <portnumber>
This specifies what TCP port number to connect to the MySQL server
using. If it is not supplied, the default MySQL port is used.
mysql_database <databasename>
This specifies what database to use on the MySQL server. It is
advisable not to use the master database. You must specify this
value for authlibmysql to work.
mysql_user <username>
This specifies the username to access the MySQL server as. This user
should only require read access. You must specify this value,
otherwise authlibmysql will refuse to work.
mysql_password <password>
This specifies the password paired to the username used to access the
MySQL server. You must specify this value.
mysql_table <tablename>
This specifies the table to read user password data from. By
default, this is 'users'. This is not used if you specify a custom
query string.
mysql_encryption <encryptiontype>
This specifies the type of encryption to use on passwords. There are
three options avaliable:
a) 'plaintext'
Passwords are stored with no encryption at all. Anybody with
read access to the database can steal the passwords. You
should set muddleftpd.conf to 600 permissions if you use this
setting.
b) 'crypt'
Use the standard unix crypt() call to test passwords, so
they typically end up as the same format as the password file
c) 'mysql'
Use MySQL's builtin function password() to test passwords.
This is portable, and is easy to use within MySQL scripts.
The default option for mysql_encryption is 'mysql'
mysql_query <querystring>
(ADVANCED OPTION) This specifies the query to use to get data from
the database. It should be a SELECT query that returns data in the
following order:
1) password: The password of the user, in the selected encrypted
form.
2) home directory: The home directory of the user.
3) root directory: The root directory of the user.
4) uid: An integer value for the user's uid.
5) gid: An integer value for the user's gid.
This SELECT query should only return 1 result if the user exists,
or no results if the user does not exist. You can use this option if
the field names do not match the ones documented above. An example
(must be entered on a single line in the config file):
mysql_query SELECT pass,home,root,useruid,usergid FROM usertable
WHERE user='%U'
You can also use this option if data is spread among multiple
tables. Another example (must still be on a single line in the
config file!):
mysql_query SELECT P.pass,C.home,C.root,C.uid,C.gid FROM passwd P,
credtable C WHERE P.user=C.user AND P.user='%U'
This gets data from the password table, and joins it with data from
the credentials table to provide data for authlibmysql.
GROUP EFFECTS:
If authlibmysql finds a single result for a query, and the data checks out
ok, then it will accept the username, and authenticate for it. If it finds
no result for the query, then it will pass the username onto the next group
section. If more than one result is returned, or an error occured along the
way, authlibmysql will cancel authentication for that user.
FURTHER NOTES:
* You should avoid using plaintext stored passwords, especially
since anyone who can read the configuration file can steal all
the passwords in the MySQL database.
AUTHORS:
Beau Kuiper (support@muddleftpd.cx)
|
