Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package pam-pgsql
I just uploaded pam-pgsql/0.7.1-3 to unstable. The new upload fixes #594721 and
#596375. The first bug is security related, the patch is in production use by
the bug submitter and looks sane to me. The second bug is RC because it would
break upgrades from Lenny.
I had a short IRC discussion with faw in #debian-release and he encouraged me
to upload this version to unstable with the goal of inclusion in Squeeze.
The changelog for the version is:
pam-pgsql (0.7.1-3) unstable; urgency=low
* add debian/patches/md5postgres_594721.patch to add support for
PostgreSQLs own md5 passwords (Closes: #594721)
* add debian/postinst to set pw_type = clear on upgrades from version
< 0.7.1 where no pw_type has been specified. The default password
type has been changed from clear to sha1 (Closes: #596375)
-- Jan Dittberner <jandd@debian.org> Fri, 10 Sep 2010 22:35:05 +0200
I attach a debdiff from 0.7.1-2 to 0.7.1-3.
unblock pam-pgsql/0.7.1-3
Regards
Jan Dittberner
--
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
B2FF 1D95 CE8F 7A22 DF4C F09B A73E 0055 558F B8DD
http://ddportfolio.debian.net/ - http://people.debian.org/~jandd/
diffstat for pam-pgsql-0.7.1 pam-pgsql-0.7.1
changelog | 10 ++
patches/md5postgres_594721.patch | 191 +++++++++++++++++++++++++++++++++++++++
patches/series | 1
postinst | 57 +++++++++++
4 files changed, 259 insertions(+)
diff -Nru pam-pgsql-0.7.1/debian/changelog pam-pgsql-0.7.1/debian/changelog
--- pam-pgsql-0.7.1/debian/changelog 2010-08-15 18:13:35.000000000 +0200
+++ pam-pgsql-0.7.1/debian/changelog 2010-09-10 22:36:37.000000000 +0200
@@ -1,3 +1,13 @@
+pam-pgsql (0.7.1-3) unstable; urgency=low
+
+ * add debian/patches/md5postgres_594721.patch to add support for
+ PostgreSQLs own md5 passwords (Closes: #594721)
+ * add debian/postinst to set pw_type = clear on upgrades from version
+ < 0.7.1 where no pw_type has been specified. The default password
+ type has been changed from clear to sha1 (Closes: #596375)
+
+ -- Jan Dittberner <jandd@debian.org> Fri, 10 Sep 2010 22:35:05 +0200
+
pam-pgsql (0.7.1-2) unstable; urgency=low
* add debian/patches/md5_64bit_584683.patch to fix MD5 issue on non-
diff -Nru pam-pgsql-0.7.1/debian/patches/md5postgres_594721.patch pam-pgsql-0.7.1/debian/patches/md5postgres_594721.patch
--- pam-pgsql-0.7.1/debian/patches/md5postgres_594721.patch 1970-01-01 01:00:00.000000000 +0100
+++ pam-pgsql-0.7.1/debian/patches/md5postgres_594721.patch 2010-09-10 22:36:37.000000000 +0200
@@ -0,0 +1,191 @@
+Subject: Adds support for default postgres hash algorithm
+Author: Nirgal Vourgère <jvourger@greenpeace.org>
+Bug-Debian: http://bugs.debian.org/594721
+Description: Adds supports for postgres hash algorithm. It make it possible to
+ set up postgresql to use pam and pam to use postgresql own shadow user table.
+ Previously, it was only possible by disabling password encryption in
+ postgresql.conf.
+ This is requiered if you want authentication fallbacks within postgresql.
+ See README file for full example.
+
+TODO (see http://dep.debian.net/deps/dep3/):
+Last-Update: 2010-08-28
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+
+Index: pam-pgsql-0.7.1/src/backend_pgsql.c
+===================================================================
+--- pam-pgsql-0.7.1.orig/src/backend_pgsql.c
++++ pam-pgsql-0.7.1/src/backend_pgsql.c
+@@ -264,7 +264,7 @@
+ rc = PAM_USER_UNKNOWN;
+ } else {
+ char *stored_pw = PQgetvalue(res, 0, 0);
+- if (!strcmp(stored_pw, (tmp = password_encrypt(options, passwd, stored_pw)))) rc = PAM_SUCCESS;
++ if (!strcmp(stored_pw, (tmp = password_encrypt(options, user, passwd, stored_pw)))) rc = PAM_SUCCESS;
+ free (tmp);
+ }
+ PQclear(res);
+@@ -275,7 +275,7 @@
+
+ /* private: encrypt password using the preferred encryption scheme */
+ char *
+-password_encrypt(modopt_t *options, const char *pass, const char *salt)
++password_encrypt(modopt_t *options, const char *user, const char *pass, const char *salt)
+ {
+ char *s = NULL;
+
+@@ -310,6 +310,37 @@
+
+ }
+ break;
++ case PW_MD5_POSTGRES: {
++ /* This is the md5 variant used by postgres shadow table.
++ cleartext is password||user
++ returned value is md5||md5hash(password||user)
++ */
++ MD5_CTX ctx;
++ char *buf;
++ unsigned char hash[16]; /* 16 is the md5 block size */
++ int i;
++ size_t unencoded_length;
++ char *unencoded;
++
++ unencoded_length = strlen(pass)+strlen(user);
++ unencoded = malloc(unencoded_length+1);
++ sprintf(unencoded, "%s%s", pass, user);
++
++ bzero(&hash, 16);
++
++ MD5Init(&ctx);
++ MD5Update(&ctx, (unsigned char const *) unencoded, unencoded_length);
++ MD5Final(hash, &ctx);
++
++ buf = (char *) malloc(36); /* 3 bytes for md5 + 32 bytes + 1 byte for \0 */
++ strcpy(buf, "md5");
++ for(i = 0; i < 16; i++)
++ sprintf(&buf[i * 2 + 3], "%.2x", hash[i]);
++
++ free(unencoded);
++ s = buf;
++ }
++ break;
+ case PW_SHA1: {
+
+ SHA1Context ctx;
+Index: pam-pgsql-0.7.1/src/backend_pgsql.h
+===================================================================
+--- pam-pgsql-0.7.1.orig/src/backend_pgsql.h
++++ pam-pgsql-0.7.1/src/backend_pgsql.h
+@@ -8,6 +8,6 @@
+ PGconn * db_connect(modopt_t *options);
+ int pg_execParam(PGconn *conn, PGresult **res, const char *query, const char *service, const char *user, const char *passwd, const char *rhost);
+ int backend_authenticate(const char *service, const char *user, const char *passwd, const char *rhost, modopt_t *options);
+-char * password_encrypt(modopt_t *options, const char *pass, const char *salt);
++char * password_encrypt(modopt_t *options, const char *user, const char *pass, const char *salt);
+
+ #endif
+Index: pam-pgsql-0.7.1/src/pam_pgsql.c
+===================================================================
+--- pam-pgsql-0.7.1.orig/src/pam_pgsql.c
++++ pam-pgsql-0.7.1/src/pam_pgsql.c
+@@ -211,7 +211,7 @@
+ if (rc == PAM_SUCCESS) {
+
+ if ((rc = pam_get_confirm_pass(pamh, &newpass, PASSWORD_PROMPT_NEW, PASSWORD_PROMPT_CONFIRM, options->std_flags)) == PAM_SUCCESS) {
+- if((newpass_crypt = password_encrypt(options, newpass, NULL))) {
++ if((newpass_crypt = password_encrypt(options, user, newpass, NULL))) {
+ if(!(conn = db_connect(options))) {
+ rc = PAM_AUTHINFO_UNAVAIL;
+ }
+Index: pam-pgsql-0.7.1/src/pam_pgsql_options.c
+===================================================================
+--- pam-pgsql-0.7.1.orig/src/pam_pgsql_options.c
++++ pam-pgsql-0.7.1/src/pam_pgsql_options.c
+@@ -112,6 +112,8 @@
+ options->pw_type = PW_CRYPT;
+ } else if(!strcmp(val, "crypt_md5")) {
+ options->pw_type = PW_CRYPT_MD5;
++ } else if(!strcmp(val, "md5_postgres")) {
++ options->pw_type = PW_MD5_POSTGRES;
+ }
+ } else if(!strcmp(buffer, "debug")) {
+ options->debug = 1;
+@@ -256,6 +258,7 @@
+ sprintf(modopt->query_auth, "select %s from %s where %s = %%u", modopt->column_pwd, modopt->table, modopt->column_user);
+
+ }
++ else SYSLOG("Can't build auth query");
+
+ }
+
+Index: pam-pgsql-0.7.1/src/pam_pgsql_options.h
+===================================================================
+--- pam-pgsql-0.7.1.orig/src/pam_pgsql_options.h
++++ pam-pgsql-0.7.1/src/pam_pgsql_options.h
+@@ -24,7 +24,8 @@
+ PW_MD5,
+ PW_CRYPT,
+ PW_CRYPT_MD5,
+- PW_SHA1
++ PW_SHA1,
++ PW_MD5_POSTGRES
+ } pw_scheme;
+
+ typedef struct modopt_s {
+Index: pam-pgsql-0.7.1/README
+===================================================================
+--- pam-pgsql-0.7.1.orig/README
++++ pam-pgsql-0.7.1/README
+@@ -132,16 +132,20 @@
+ debug - this is a standard module option that will enable
+ debug output to syslog (takes no values)
+ pw_type - specifies the password encryption scheme, can be one
+- of 'clear', 'md5', 'sha1', 'crypt', or 'crypt_md5'. the
+- difference between 'md5' and 'crypt_md5' is that
+- 'md5' uses libmhash for hashing while 'crypt_md5'
+- uses crypt() with a special salt to select md5
+- hashing instead of DES. if one of 'crypt' or
+- 'crypt_md5' is specified, passwords always are
++ of 'clear', 'md5', 'sha1', 'crypt', 'crypt_md5', or
++ 'md5_postgres'. The ifference between 'md5' and
++ 'crypt_md5' is that 'md5' uses libmhash for hashing
++ while 'crypt_md5' uses crypt() with a special salt to
++ select md5 hashing instead of DES. if one of 'crypt'
++ or 'crypt_md5' is specified, passwords always are
+ encrypted in the respective format. however,
+ passwords in both formats may be stored in the
+ database, just as with /etc/(passwd|shadow).
+ defaults to 'clear'.
++ 'md5_postgres' uses the postgres default internal
++ algorithm where hash is md5||md5(password+login). This
++ is usefull for authenticating against postgres users
++ created by the createuser postgres command.
+ config_file - alternative location of configuration file - it should be
+ specified as module argument.
+ timeout - if specified pam-pgsql will wait for timeout
+@@ -155,3 +159,12 @@
+ try_first_pass - same as previous, but doesn't fail if previous
+ module failed to provide us with password
+ echo_pass - displays password while being typed
++
++Example to autenticate against postgres users
++=============================================
++database = postgres
++user = postgres
++table = pg_catalog.pg_shadow
++user_column = usename
++pwd_column = passwd
++pw_type=md5_postgres
+Index: pam-pgsql-0.7.1/COPYRIGHT
+===================================================================
+--- pam-pgsql-0.7.1.orig/COPYRIGHT
++++ pam-pgsql-0.7.1/COPYRIGHT
+@@ -6,6 +6,7 @@
+ Copyright (c) 2003. Joerg Wendland <joergland@debian.org>,
+ Copyright (c) 2005. Primoz Bratanic <primoz@slo-tech.com>
+ Copyright (c) 2009. William Grzybowski <william@agencialivre.com.br>
++Copyright (c) 2010. Nirgal Vourgère <jvourger@greenpeace.org>
+
+
+ You are free to distribute this software under the terms of
diff -Nru pam-pgsql-0.7.1/debian/patches/series pam-pgsql-0.7.1/debian/patches/series
--- pam-pgsql-0.7.1/debian/patches/series 2010-08-15 18:13:35.000000000 +0200
+++ pam-pgsql-0.7.1/debian/patches/series 2010-09-10 22:36:37.000000000 +0200
@@ -1,2 +1,3 @@
ftbfs_441679.patch
md5_64bit_584683.patch
+md5postgres_594721.patch
diff -Nru pam-pgsql-0.7.1/debian/postinst pam-pgsql-0.7.1/debian/postinst
--- pam-pgsql-0.7.1/debian/postinst 1970-01-01 01:00:00.000000000 +0100
+++ pam-pgsql-0.7.1/debian/postinst 2010-09-10 22:36:37.000000000 +0200
@@ -0,0 +1,57 @@
+#! /bin/sh
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+#
+# quoting from the policy:
+# Any necessary prompting should almost always be confined to the
+# post-installation script, and should be protected with a conditional
+# so that unnecessary prompting doesn't happen if a package's
+# installation fails and the `postinst' is called with `abort-upgrade',
+# `abort-remove' or `abort-deconfigure'.
+
+log() {
+ echo $* >&2
+}
+
+PAMFILE=/etc/pam_pgsql.conf
+
+case "$1" in
+ configure)
+ if [ -n "$2" ] \
+ && dpkg --compare-versions "$2" lt "0.7.1" \
+ && [ -f $PAMFILE ] \
+ && ! grep -q ^pw_type $PAMFILE
+ then
+ log "Adding 'pw_type = clear' to $PAMFILE. You should upgrade your database to store hashes."
+ echo "pw_type = clear" >>$PAMFILE
+ fi
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ ;;
+
+ *)
+ log "postinst called with unknown argument \`$1'"
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
Attachment:
signature.asc
Description: Digital signature