PAM-Modules
	A Collection of Modules for PAM	Sergey Poznyakoff

• Main
• Downloads
• Documentation

6.2 Using SQL modules in authentication stack.

When used in the auth stack, both SQL modules work as follows. First, the module connects to the database using credentials supplied in the configuration file (see the previous section). Then, it retrieves the value of passwd-query from the configuration file and performs PAM item expansion over it (see item expansion). The resulting query is sent to the SQL server. If this query produces a non-empty result, the first column from the first tuple is used as encrypted user password and compared with the supplied authentication token. If it matches, the user is authenticated successfully. The comparison consists of the following checks, performed in that order until one of them returns match or the list is exhausted:

1. System crypt function.
2. MySQL password encoding algorithm (for MySQL only)
3. Compare MD5 sum of the token with the encrypted password.
4. Compare passwords using LDAP algorithm.
5. Compare both strings literally (only if allow-plaintext-pass is set in the configuration file.

The following configuration keywords can be used to disable or enable particular stages of the comparison. The value bool should be ‘yes’, ‘true’ or ‘t’ to indicate true. Any other value is taken to mean false.

allow-plaintext-pass bool

The returned password may be plaintext. Without this option, it is supposed to be encrypted using the system crypt function.

allow-ldap-pass bool

The returned password may be a LDAP-style password hash, i.e. the hash value encoded as base-64 and prefixed with a hashing algorithm name in curly braces. This variable is true by default.

allow-md5-pass bool

The returned password may be encrypted using MySQL md5 function. This keyword is specific for pam_mysql.

allow-mysql-pass bool

The returned password may be encrypted using MySQL password function. This keyword is specific for pam_mysql.