It seems that install_dir is hard coded to /lib/security: https://github.com/NigelCunningham/pam-MySQL/blob/master/meson.build#L270

This is a problem on Fedora (and by extension also on RHEL/CentOS etc.) since the correct directory is platform dependent (e.g. /lib/security on 32bit platforms and /lib64/security on 64bit platforms, see: https://docs.fedoraproject.org/en-US/packaging-guidelines/RPMMacros/, technically /usr/lib/security and /usr/lib64/security since https://fedoraproject.org/wiki/Features/UsrMove)

I couldn't find any (reasonably easy) way to set install_dir during build time, but this might be me knowing little to nothing about meson. It'd be nice if this could be configurable so it can be set to %{_libdir}

There's also https://github.com/NigelCunningham/pam-MySQL/blob/master/install.sh which tries to address this. But that of course doesn't work in an rpm build environment:

+ /usr/bin/meson install -C x86_64-redhat-linux-gnu --no-rebuild
Installing libpam_mysql.so to /builddir/build/BUILDROOT/pam_mysql-1.0.0~beta1-1.fc34.x86_64/lib/security
Running custom install script '/builddir/build/BUILD/pam-MySQL-1.0.0-beta1/install.sh'
--- stdout ---

--- stderr ---
mv: cannot stat '/lib/security/libpam_mysql.so': No such file or directory
strip: '/lib/security/pam_mysql.so': No such file

FAILED: install script '/builddir/build/BUILD/pam-MySQL-1.0.0-beta1/install.sh' exit code 1, stopped

The current expansion of the %meson macro on Fedora 34 looks something like this:

/usr/bin/meson --buildtype=plain --prefix=/usr --libdir=/usr/lib64 --libexecdir=/usr/libexec --bindir=/usr/bin --sbindir=/usr/sbin --includedir=/usr/include --datadir=/usr/share --mandir=/usr/share/man --infodir=/usr/share/info --localedir=/usr/share/locale --sysconfdir=/etc --localstatedir=/var --sharedstatedir=/var/lib --wrap-mode=nodownload --auto-features=enabled . x86_64-redhat-linux-gnu

So the right directory to use is probably libdir: https://mesonbuild.com/Builtin-options.html

hi there,

i used the default libpam-mysql and this manual install libpam-mysql, but im always getting this on /var/log/auth.log

i have inserted "testuser" on the database, i also properly entered the details on /etc/libpam-mysql.conf

i tried crypt=0 and crypt=3 (md5) still same, and i think the main problem is its telling that the username is invalid even its on the database..

May 10 18:47:10 debian sshd[3737]: Invalid user testuser from 10.0.2.2 port 22693
May 10 18:47:14 debian sshd[3737]: pam_mysql - option verbose is set to "1"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.enabled is set to "false"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.table is set to "log"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.message_column is set to "message"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.pid_column is set to "pid"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.user_column is set to "user"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.host_column is set to "host"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.rhost_column is set to "rhost"
May 10 18:47:14 debian sshd[3737]: pam_mysql - option log.time_column is set to "time"
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_sm_authenticate() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_open_db() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_open_db() returning 0.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_check_passwd() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_format_string() called
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_quick_escape() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - SELECT password FROM users WHERE username = 'testuser'
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_check_passwd() returning 6.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_sql_log() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_sql_log() returning 0.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_converse() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_open_db() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_check_passwd() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_format_string() called
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_quick_escape() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - SELECT password FROM users WHERE username = 'testuser'
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_check_passwd() returning 6.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_sql_log() called.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_mysql_sql_log() returning 0.
May 10 18:47:14 debian sshd[3737]: pam_mysql - pam_sm_authenticate() returning 7.
May 10 18:47:14 debian sshd[3737]: pam_unix(sshd:auth): check pass; user unknown
May 10 18:47:14 debian sshd[3737]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2
May 10 18:47:16 debian sshd[3737]: Failed password for invalid user testuser from 10.0.2.2 port 22693 ssh2

on the ssh facing terminal, the prompt is: Permission denied, please try again.

i can only login using root...

I have configured saslauthd + pam + mysql on my machine (debian
testing, also tried on Ubuntu 22) to authenticate against a mysql DB.

Whenever I try authentication with credentials (e.g., with
testsaslauthd calling libpam) the Pam module does not immediately
query the mysql database, but tries the first pass, i.e., if it finds
a previous authentication that matches with the password entered, it
responds successfully (thus skipping querying the db).

But if I change the password on the DB, each login attempt with the
old password is still successful until the first login with the new
password occurs.

This looks like the behaviour described by the parameter try_first_pass,
but I didn't define it in my PAM configuration.

I would like to be able to change passwords on the mysql DB and have
the old password stop working from then on, without necessarily having
to restart saslauthd (which resets the value of the first pass) or try
the new password.

How can I prevent the first pass from being attempted?

NB: I have asked this also here

• https://unix.stackexchange.com/questions/738619/skip-first-pass-in-sasl-pam-mysql-authentication
• linux-pam/linux-pam#545 (comment)
  linux-pam guys redirected me to developers of the mysql PAM module

POST SCRIPTUM:

1. Versions of pam modules:

   	Debian testing	Ubuntu 22
   libpam-mysql:amd64	0.8.2-2	0.8.1-5build1
   libpam0g:amd64	1.5.2-6	1.4.0-11ubuntu2.3

2. PAM configurations:

   **Click here to see configurations**

   I have configured in pam.d/ an smtp configuration module like this:

   $ cat /etc/pam.d/smtp
   auth       required     pam_nologin.so
   auth       sufficient   pam_mysql.so config_file=/etc/mail-pam-mysql.conf
   account    sufficient   pam_mysql.so config_file=/etc/mail-pam-mysql.conf
   password   required     pam_deny.so

   It uses /etc/mail-pam-mysql.conf which is:

   verbose = 1;
   users.host = dbhost;
   users.database = dbname;
   users.db_user = dbuser;
   users.db_passwd = MYDBPASSWORD;
   users.password_crypt = 1;
   users.table = accountuser;
   users.user_column = username;
   users.password_column = password;
   log.table = log;
   log.message_column  = msg;
   log.pid_column  = pid;
   log.user_column  = user;
   log.host_column  = host;
   log.time_column  = time;
   

Hi,

Is it possible to support sha2 ? (sha256 / sha512 hashes)

We are using hashes that are usually generated by the openssl library, an example of generating such a digest:

std::string password = "somepassword";

// generate a SHA512 hash using the openssl library
char buf[SHA512_DIGEST_LENGTH];
SHA512_CTX ctx;
if (!SHA512_Init(&ctx)) {
    std::cerr << "failed to initialize." << std::endl;
}
if (!SHA512_Update(&ctx, password.c_str(), password.length())) {
    std::cerr << "failed to update sha context." << std::endl;
}
if (!SHA512_Final((unsigned char *)buf, &ctx)) {
    std::cerr << "failed to get the hash." << std::endl;
}

It's not a complete example, but it gives an head start hopefully.

Regards, Matthijs

Hi, Is it possible setup pam-mysql over ssl/tls connection, connect to mysql/mariadb server?
Thanks.

Hello, tried to compile the module under Debian Jessie. See compiling commands and error bellow.

Probably forgot to install something, still I need your help on it.

apt-get install -y autoconf automake build-essential libmysqlclient-dev libpam-dev libssl-dev
autoreconf -f -i

configure.ac:26: error: possibly undefined macro: AC_MSG_ERROR
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
configure.ac:45: error: possibly undefined macro: AS_IF
configure.ac:47: error: possibly undefined macro: AC_DEFINE
autoreconf: /usr/bin/autoconf failed with exit status: 1

Hi,

While trying to replace the original mysql pam with this I ended up in a dead end.

If I configure with:
./configure --with-pam-mods-dir=/lib/security --with-openssl=no
I get:
PAM unable to dlopen(pam_mysql.so): /lib/security/pam_mysql.so: undefined symbol: SHA1Final

If I configure with:
./configure --with-pam-mods-dir=/lib/security --with-openssl=yes
I get:
PAM unable to dlopen(pam_mysql.so): /lib/security/pam_mysql.so: undefined symbol: SHA1Init

I don't even want to use SHA1. But it doesn't seem to help with "crypt=plain" in the pam config

Doing this on Ubuntu 16.04 with the standard packages for mysql and everything.

Please tell me if I can help with providing more information. I just want it to work as soon as possible :)

I don't even know for sure this is the right place to do it, but I've looked through the various docs and I cannot seem to find any useful pointers.

I grow tired of having to reconfigure a certain software vendor's products that seem to think by default usernames should no longer exist, and they are making it increasingly hard to do so. So I am wondering if pam_mysql could be made to cope with user@domain format of usernames. A quick and dirty test shows that a straight swap in the username column doesn't work, and I guess that is because it's stripped off by saslauthd which is also in my auth chain where it matters.

So I'm raising this as an issue to see if we can do it here, and failing that, as a point of reference for other poor unfortunates in future who are trying to answer the same type of question.

Having said that I noticed theres a saslauthd option thusly, which I thought may help:

-r | Combine the realm with the login (with an ’@’ sign in between). e.g. login: "foo" realm: "bar" will get passed as login: "foo@bar". Note that the realm will still be passed, which may lead to unexpected behavior.

But while the logs (for both pam-mysql and mysql itself with query logging enabled) suggest it does pass through user@password format of username it won't authenticate even then. However putting pam_mysql into verbose mode does suggest that it is querying mysql for the user@domain format of username, and in a way that works when run manually at the mysql CLI, so I guess something in the return path isn't working. Or that pam does support realms/domains, and it's just not clear how and where it is configured and written into module code.

However, even if the email address format works, that would break the username-only format of login unless extra code were added to allow for a column with email address as well as the username column that already exists, because you wouldn't want to have just one or the other to avoid users having to reconfigure because you still end up with the same problem. So I guess either way a little bit of extra code will be needed in pam-MySQL.

Hello Nigel,
i had the pam-mysql module successfully build before your commit on Nov 2016. Before the configure script was already there and the make process happened to work without any problems.

Now with 0.8.1 that doesn't work anymore:

# autoreconf -f -i --verbose
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
autoreconf: running: /usr/bin/autoconf --force
configure.ac:45: error: possibly undefined macro: AC_DEFINE
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1

If i add m4_pattern_allow([AC_DEFINE]) to configure.ac, it works to reconf:

# autoreconf -f -i --verbose
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
libtoolize: Consider adding `-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
autoreconf: running: /usr/bin/autoconf --force
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:6: unknown warning category `no-extra-portability'
autoreconf: Leaving directory `.'

But there are some macros not getting replaces correctly:

# ./configure --prefix=/usr --with-pam-mods-dir=/lib64/security --with-openssl
[...]
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking for size_t... yes
checking whether ELOOP is declared... yes
checking whether EOVERFLOW is declared... yes
checking for library containing socket... none required
checking for getaddrinfo... yes
./configure: line 13662: PAM_MYSQL_CHECK_IPV6: command not found
./configure: line 13663: PAM_MYSQL_CHECK_GETHOSTBYNAME_R: command not found
./configure: line 13669: syntax error near unexpected token `"$withval"'
./configure: line 13669: `  PAM_MYSQL_CHECK_LIBMYSQLCLIENT("$withval")'

In the generated configure i see the problem:

PAM_MYSQL_CHECK_IPV6
PAM_MYSQL_CHECK_GETHOSTBYNAME_R


# Check whether --with-mysql was given.
if test "${with_mysql+set}" = set; then
  withval=$with_mysql;
  PAM_MYSQL_CHECK_LIBMYSQLCLIENT("$withval")

else

  PAM_MYSQL_CHECK_LIBMYSQLCLIENT(/usr /usr/local /usr/mysql /opt/mysql)

fi



# Check whether --with-openssl was given.
if test "${with_openssl+set}" = set; then
  withval=$with_openssl;
else
  with_openssl=check
fi

Do you have any clue on how to build on CentOS ?

Thank you!

I tried to connect to mysql 5.6 and 5.7 with pam-mysql, but always failed on mysql 5.7.
After installed mysql 5.6 and 5.7 in same os environment and connected with testsaslauthd separately, and got '0: OK "Success.' on mysql 5.6, but got 'size read failed' on mysql 5.7.

How can I make pam-mysql compatible with mysql 5.7?

Hello
i'm using pam_mysql for authentication and bumped into couple of issues.
i can successfully use crypt 0 with logs in db (not recommended) but have issues with blowfish encrypted ones.
if i use crypt=1 blowfish=1, i end up with invalid token option and if i use crypt=1 alone, password returns 6. Neither of which give a good clue.
i've been using crypt function of php to create hashes with password default option. (please check https://github.com/panique/php-login-minimal/blob/master/classes/Registration.php for similar code).
The documentation online for this module seems to be sparse and digging through the code was not so much fruitful for me.
can anyone give me some leads on how to handle proper authentication (also the contents of file under pam.d for a proper authentication, atleast against nginx auth)

OS: Centos 7
This is the error I get when trying to run ./configure --with-pam=/usr/include/security/ --with-pam-mods-dir=/usr/lib64/security/

configure: error: Cannot find pam headers. Please check if your system is ready for pam module development.

here is a list of my headers for pam
ls -la /usr/include/security/
total 84
drwxr-xr-x. 2 root root 4096 Aug 11 17:02 .
drwxr-xr-x. 45 root root 8192 Aug 14 12:05 ..
-rw-r--r--. 1 root root 3297 Nov 5 2016 pam_appl.h
-rw-r--r--. 1 root root 7239 Nov 5 2016 pam_client.h
-rw-r--r--. 1 root root 2972 Nov 5 2016 _pam_compat.h
-rw-r--r--. 1 root root 3631 Nov 5 2016 pam_ext.h
-rw-r--r--. 1 root root 1089 Nov 5 2016 pam_filter.h
-rw-r--r--. 1 root root 6109 Nov 5 2016 _pam_macros.h
-rw-r--r--. 1 root root 1526 Nov 5 2016 pam_misc.h
-rw-r--r--. 1 root root 6432 Nov 5 2016 pam_modules.h
-rw-r--r--. 1 root root 4745 Nov 5 2016 pam_modutil.h
-rw-r--r--. 1 root root 12904 Nov 5 2016 _pam_types.h

I have run the yum pam-devel package and it is installed along with several other devel packages need to build this.

I am having a hard time getting pam_MySQL to work completely for me. I am using cyrus-sasl2 with MECH pam. If I run the command saslautd -u robert -p secret -s imap (a valid login account on my machine,) pam_MySQL will query the database. If I enter the command saslauthd -u robert -r mydomain.com -p secret -s imap no query is performed and the entry in /var/log/secure is 'pam_mysql - required option "user" is not set.'
Any ideas on what I can check or am doing wrong?

I've the following issue using the drupal7 pam-mysql module (dovecot consumer):
auth worker: PASSV: PAM unable to dlopen(pam_mysql.so): /lib/security/pam_mysql.so: undefined symbol: MD5

It could be related to the squeeze -> wheezy upgrade.

Using
libssl0.9.8 (0.9.8o-4squeeze14)
libssl1.0.0:amd64 (1.0.1e-2)
openssl (1.0.1e-2)
libc6 (2.13-38)

./configure; make
# nm .libs/pam_mysql.so |grep MD5 U MD5

Hey,
I've recently compiled the module with the instructions.
It seems to work because the authentication prompt is working and indeed if I insert an undefined user it won't work, but when I do insert a valid user it fails instead of giving me the regular NGINX welcome page.

Any ideas what can cause this behavior?
Thanks,
Lior

Hi,

I've tried your module but it looks like its calculating the the hash wrong. I've generated an SHA1 hash from the string "test" which is: a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

Now i've added an extra log output on line 2928 in pam_mysql.c:
syslog(LOG_AUTHPRIV | LOG_ERR, buf);

Which generates the following output when trying to login with the password "test":
Dec 30 22:15:47 host sshd[26898]: 14b9961cd982a22949737f143325c0370ab90dd9

Which is wrong...

When using the latest stable, v0.8.0, I get
PAM unable to dlopen(pam_mysql.so): /lib/security/pam_mysql.so: undefined symbol: pam_set_data
when trying to authenticate the openvpn connection.

I noticed a commit, "Link the module with the PAM library", commit 6d5d20b..
I used this commit instead of latest stable and now it is working.

To summarise I cant use the latest commit since I get undefined symbols for SHA1Init or SHA1Final (previous issue I submitted), and I cant use the latest stable since I get undefined symbol: pam_set_data.

Thank you very much for the very good commit message! I would never have found this otherwise! :)

Is there any known bug in Debian 9? My password is 100% correct and works well from all other applications connected to this mysql instance. Roundcube, dovecot, z-push, nextcloud... but not with postfix and smtp auth.

libpam-mysql/stable,now 0.8.0-1 amd64 [installed]
PAM module interfacing with MySQL databases

Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - option debug is set to "1"
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_close_db() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_sm_authenticate() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_open_db() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_open_db() returning 0.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_check_passwd() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_format_string() called
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_quick_escape() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - SELECT password FROM users WHERE username = '[email protected]'
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_check_passwd() returning 6.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_sql_log() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_sql_log() returning 0.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_converse() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_open_db() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_check_passwd() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_format_string() called
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_quick_escape() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - SELECT password FROM users WHERE username = '[email protected]'
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_check_passwd() returning 6.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_sql_log() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_sql_log() returning 0.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_sm_authenticate() returning 7.
Jul 28 21:53:22 myhost saslauthd[27369]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_release_ctx() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_destroy_ctx() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_close_db() called.
Jul 28 21:53:22 myhost saslauthd[27369]:                 : auth failure: [[email protected]] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

I cannot find documentation what pam_mysql_check_passwd() returning 6 or pam_sm_authenticate() returning 7 means. Debugging is on, but the passwords are not shown. So it is impossible to figure out what the root cause is.

pam_mysql is configured to use crypt=1. In Debian 7 it worked all well, but this was pam_mysql 0.7~RC1.

When setting crypt to 1 in the config and commenting out the md5 option it still uses md5 for hashing even if the default is supposed to be disabled.

Probable fix would be to set ctx->md5 to 0 instead of -1 in pam_mysql_init_ctx.

After configuring the library and trying to make it, from the start it fails with the following:

pam_mysql.c: In function ‘pam_mysql_check_passwd’:
pam_mysql.c:2896:15: warning: implicit declaration of function ‘my_make_scrambled_password’ [-Wimplicit-function-declaration]
               my_make_scrambled_password(buf, passwd, strlen(passwd));
               ^
mv -f .deps/pam_mysql_la-pam_mysql.Tpo .deps/pam_mysql_la-pam_mysql.Plo
/bin/bash ./libtool  --tag=CC   --mode=link gcc  -g -O2 -I/usr/include/mysql -fabi-version=2 -fno-omit-frame-pointer   -module -avoid-version  -o pam_mysql.la -rpath /lib/security pam_mysql_la-pam_mysql.lo -lcrypto -lpam -lcrypt  -L/usr/lib/x86_64-linux-gnu -lmysqlclient -lpthread -lz -lm -lrt -ldl
libtool: link: gcc -shared  -fPIC -DPIC  .libs/pam_mysql_la-pam_mysql.o   -lcrypto -lpam -lcrypt -L/usr/lib/x86_64-linux-gnu -lmysqlclient -lpthread -lz -lm -lrt -ldl  -g -O2   -Wl,-soname -Wl,pam_mysql.so -o .libs/pam_mysql.so
libtool: link: ( cd ".libs" && rm -f "pam_mysql.la" && ln -s "../pam_mysql.la" "pam_mysql.la" )

Running Ubuntu 16.04 with MySQL 5.7

When using the crypt function I'm getting the following error:

pam_mysql - something went wrong when invoking crypt() - Invalid argument
pam_mysql - pam_mysql_check_passwd() returning 6.

This is the pam.d/sshd config that is being used:

auth    optional        pam_mysql.so    user=xxxx passwd=xxxx db=xxxx table=users usercolumn=users.user passwdcolumn=users.password crypt=1 blowfish=true verbose=1
account required        pam_mysql.so    user=xxxx passwd=xxxx db=xxxx table=users usercolumn=users.user passwdcolumn=users.password crypt=1 blowfish=true verbose=1

pam-mysql version v0.8.1-30-g4f76d51

Hello, sorry to disturb you for something that may be stupid.
But there, I made a vsftpd server, with an old version of pam, I just updated on yours, and it does not work anymore. So I activated the verbose option, to have more log but here is what it gives me (in /var/log/secure, i dont find /var/log/auth*):

Apr  8 23:46:54 datahosting vsftpd[9528]: pam_unix(vsftpd:auth): check pass; user unknown
Apr  8 23:46:54 datahosting vsftpd[9528]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=datahosting_minecraft rhost=my_private_host

Here is my configuration pam:

#%PAM-1.0
auth sufficient /usr/lib64/security/pam_mysql.so user=datahosting passwd=my_secret_password  host=localhost db=datahosting table=ftp_accounts usercolumn=username   passwdcolumn=pass crypt=9 verbose=1
account sufficient /usr/lib64/security/pam_mysql.so user=datahosting passwd=my_secret_password  host=localhost db=datahosting table=ftp_accounts usercolumn=username  passwdcolumn=pass crypt=9 verbose=1
auth        sufficient     pam_unix.so try_first_pass nullok
account     sufficient       pam_unix.so
session    required     pam_loginuid.so

I may not be looking for the right logs.
Is the log file in /var/log ?

I am sincerely sorry to disturb you for this banal thing, which surely comes from me. But it's annoying that my vsftpd server is no longer working, so I would like to resolve this problem.

I am running on Centos 8.

Thank for your reply.

Getting this error while compiling

pam_mysql.c: In function 'pam_mysql_check_passwd':
pam_mysql.c:3766:37: warning: implicit declaration of function 'compat_make_scrambled_password_323'; did you mean 'make_scrambled_password_323'? [-Wimplicit-function-declaration]
 3766 |                                     compat_make_scrambled_password_323(buf, passwd);
      |                                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                                     make_scrambled_password_323

and then this error when trying to run it

PAM unable to dlopen(pam_mysql.so): /lib/security/pam_mysql.so: undefined symbol: compat_make_scrambled_password_323

It would be very helpful to have at least one password encryption algorithm within pam-MySQL which is (very) secure and Apache compatible.

If I compare the password encryption algorithms between Apache (mod_authn_dbd)
plain text, MD5 (salted, Apache variant), SHA1 (not salted), CRYPT, bcrypt
and pam-MySQL
crypt (plain text), crypt, MD5 (not salted), SHA1 (not salted), Drupal7 (salted), use_323_passwd, MySQL
there are no high secure algorithms in common. SHA1 without salt seems to be the most secure algorithm for both, but SHA1 not very secure.

Hello ! Here I am again :( I had to install a vSTFPD server with pam-mysq, but this time on debian. I had a bit of trouble, with several errors, but I got there.

Except that here, I checked the connection, as well as the MySQL identifier (maybe not as it should be), and all the information entered in the pam_mysql configuration, allows me to connect with PMA or even in command line.

But there, pam_sm_authenticate returns the number 3. I dont know why, i search, but i dont find.

My config:

#%PAM-1.0
auth		sufficient	pam_mysql.so verbose=1 user=datahosting passwd=secret_password host=localhost db=dh table=ftpusers usercolumn=username passwdcolumn=password crypt=sha256
account		sufficient	pam_mysql.so verbose=1 user=datahosting passwd=secret_password host=localhost db=dh table=ftpusers usercolumn=username passwdcolumn=password crypt=sha256
auth        sufficient     pam_unix.so try_first_pass nullok
account     sufficient       pam_unix.so
session    required     pam_loginuid.so

My log (from auth.log):

Sep  5 15:46:30 datahosting vsftpd: pam_mysql - option verbose is set to "1"
Sep  5 15:46:30 datahosting vsftpd: pam_mysql - option user is set to "datahosting"
Sep  5 15:46:30 datahosting vsftpd: pam_mysql - option passwd is set to "secret_password "
Sep  5 15:46:30 datahosting vsftpd: pam_mysql - option host is set to "localhost"
Sep  5 15:46:30 datahosting vsftpd: pam_mysql - option db is set to "dh"
Sep  5 15:46:30 datahosting vsftpd: pam_mysql - option table is set to "ftpusers"
Sep  5 15:46:30 datahosting vsftpd: pam_mysql - option usercolumn is set to "username"
Sep  5 15:46:30 datahosting vsftpd: pam_mysql - option passwdcolumn is set to "password"
Sep  5 15:46:30 datahosting vsftpd: pam_mysql - pam_sm_authenticate() returning 3.
Sep  5 15:46:30 datahosting vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Sep  5 15:46:30 datahosting vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=datahosting_minecraft rhost=90.30.212.74 
Sep  5 15:46:32 datahosting sshd[526]: Connection closed by 71.6.232.6 port 55904 [preauth]
Sep  5 15:46:32 datahosting vsftpd: pam_mysql - pam_mysql_release_ctx() called.
Sep  5 15:46:32 datahosting vsftpd: pam_mysql - pam_mysql_destroy_ctx() called.
Sep  5 15:46:32 datahosting vsftpd: pam_mysql - pam_mysql_close_db() called.

My database structure:

I see "check pass; user unknown" in the log, but in my database, user exist. Where does the problem come from? Thank for help me!

Edit:
After enable all mysqllog, i see when I connect from my phpmyadmin, the log file has fill by log of connection, but when a try to connect on ftp (with valid user and password) no log appears, idk if this will help you with my worries
And i try edit pam_mysql.c for add syslog, but that doest work :( Idk how to update this file for more log :/

Edit 2: if i reinstall with make and make isntall, and not remove and reinstall libpam-mysql i get this error:

rted vsftpd FTP server.
Sep 06 11:17:17 datahosting vsftpd[29964]: PAM unable to dlopen(pam_mysql.so): /lib/security/pam_mysql.so: undefined symbol: compat_make_scrambled_password_323
Sep 06 11:17:17 datahosting vsftpd[29964]: PAM adding faulty module: pam_mysql.so

the README its the only reference, but for a where clause there's no point of must be around a " or as is:

• where=status=1 ?
• where=[status=1] ?
• where="status=1" ?

autoreconf -f -i on Alpine 3.11 leads to:

/pam-MySQL # autoreconf -f -i
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: copying file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
configure.ac:26: error: possibly undefined macro: AC_MSG_ERROR
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
configure.ac:43: error: possibly undefined macro: AS_IF
autoreconf: /usr/bin/autoconf failed with exit status: 1

Where a run with autoreconf -i works fine:

/pam-MySQL # autoreconf -i
configure.ac:13: installing 'build-aux/compile'
configure.ac:13: installing 'build-aux/config.guess'
configure.ac:13: installing 'build-aux/config.sub'
configure.ac:6: installing 'build-aux/install-sh'
configure.ac:6: installing 'build-aux/missing'
Makefile.am: installing './INSTALL'
Makefile.am: installing 'build-aux/depcomp'

Should the INSTALL instruction be updated?

Is PAM-MySQL friendly to MariaDB

Hi there,
this is feature request:

When pam_mysql is the first module in a chain it always checks an unset password first, because try_first_pass is enabled by default. Disabling this speeds up things quite a bit.

Isn't there a way to detect if it's the first module or if the password never has been set (NULL instead of an empty string)?
IMHO it would be a nice feature to skip try_first_pass in such situations.

I'm not familiar to PAM internals, so I can't tell if this would be possible at all.

Cheers!

Hi Nigel,

I'm having an error when using pam-MySQL.
When I run the following command: sudo testsaslauthd -u 'the_username' -p 'the_password' -s smtp, I get the follwing error printed to /var/log/auth.log: saslauthd[21550]: pam_mysql - something went wrong when invoking crypt() - No such file or directory. The result of testsaslauthd is 0: OK "Success." though.

Any idea on how to get rid of this error?

Cheers,
Christophe

Any chance you know how to fix the "undefined symbol: make_scrambled_password" error with newer versions of mysql / mariadb that no longer export this?

https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/1574900?comments=all

You can see it no longer work in Ubuntu 16.04 any flavor in Virtualbox. If I knew how to fix it, I would. Please help? This module is too important to die. There is no replacement for it.

Using MariaDB 10.2 with pam-MySQL results in the following error: MySQL error (Plugin pvio_socket could not be loaded: not initialized)

The verbose log looks like this (changed some values to protect the innocent):

Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option verbose is set to "1"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option host is set to "localhost"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option db is set to "sysdb_postfix"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option user is set to "sysusr_postfix"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option passwd is set to "somepassword"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option table is set to "mailbox"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option usercolumn is set to "username"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option passwdcolumn is set to "password"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option crypt is set to "0"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option where is set to "active='1'"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_close_db() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_sm_authenticate() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_open_db() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_open_db() returning 0.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_check_passwd() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_format_string() called
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_quick_escape() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - SELECT password FROM mailbox WHERE username = '[email protected]' AND (active='1')
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_check_passwd() returning 6.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_sql_log() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_sql_log() returning 0.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_converse() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_open_db() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_check_passwd() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_format_string() called
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_quick_escape() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - SELECT password FROM mailbox WHERE username = '[email protected]' AND (active='1')
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_check_passwd() returning 0.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_sql_log() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_sql_log() returning 0.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_sm_authenticate() returning 0.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option verbose is set to "1"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option host is set to "localhost"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option db is set to "sysdb_postfix"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option user is set to "sysusr_postfix"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option passwd is set to "somepassword"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option table is set to "mailbox"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option usercolumn is set to "username"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option passwdcolumn is set to "password"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option crypt is set to "0"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - option where is set to "active='1'"
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_close_db() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_sm_acct_mgmt() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_open_db() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - MySQL error (Plugin pvio_socket could not be loaded: not initialized)
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_open_db() returning 5.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_sm_acct_mgmt() returning 9.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_release_ctx() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_destroy_ctx() called.
Oct 19 18:55:40 hermes ker[6004]: process: pam_mysql - pam_mysql_close_db() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option verbose is set to "1"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option host is set to "localhost"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option db is set to "sysdb_postfix"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option user is set to "sysusr_postfix"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option passwd is set to "somepassword"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option table is set to "mailbox"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option usercolumn is set to "username"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option passwdcolumn is set to "password"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option crypt is set to "0"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option where is set to "active='1'"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_close_db() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_sm_authenticate() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_open_db() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_open_db() returning 0.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_check_passwd() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_format_string() called
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_quick_escape() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - SELECT password FROM mailbox WHERE username = '[email protected]' AND (active='1')
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_check_passwd() returning 6.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_sql_log() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_sql_log() returning 0.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_converse() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_open_db() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_check_passwd() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_format_string() called
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_quick_escape() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - SELECT password FROM mailbox WHERE username = '[email protected]' AND (active='1')
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_check_passwd() returning 0.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_sql_log() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_sql_log() returning 0.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_sm_authenticate() returning 0.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option verbose is set to "1"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option host is set to "localhost"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option db is set to "sysdb_postfix"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option user is set to "sysusr_postfix"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option passwd is set to "somepassword"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option table is set to "mailbox"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option usercolumn is set to "username"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option passwdcolumn is set to "password"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option crypt is set to "0"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - option where is set to "active='1'"
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_close_db() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_sm_acct_mgmt() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_open_db() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - MySQL error (Plugin pvio_socket could not be loaded: not initialized)
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_open_db() returning 5.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_sm_acct_mgmt() returning 9.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_release_ctx() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_destroy_ctx() called.
Oct 19 18:55:41 hermes ker[6003]: process: pam_mysql - pam_mysql_close_db() called.

The error is similar to this one here:
Icinga/icinga-core#1598

Hi,

(Moving this out of the closed pull request to gain more visibility.)

Have you got any plans about making a release? It would be nice if you met the Debian stretch freeze: we could then ship a proper release in stretch instead of some Git snapshot.
Probably there are some outstanding issues which would be worth fixing, but having an official 0.8 would make it easier to see what's left to do and at the same time gain some extra exposure and testing.
So if there aren't any serious show-stopper bugs in the current code, I ask you to release it as soon as possible, then refine it in further releases. If you don't feel like making a release, please tell, and also whether you object against me packaging some Git snapshot instead for Debian.

Regards,
Feri.

I have new to meson and ninja build tool, there is errors complaining missing MYSQL type, MySQL8 (mysql-boost-8.0.15.tar.gz) built and MYSQL have been defined in /usr/local/mysql/include/mysql.h

Is that fine to comment libmariadb lines in meson.build?

#foreach dep: ['libmariadb']

deps += dependency(dep)

#endforeach

git clone https://github.com/NigelCunningham/pam-MySQL
export LIBRARY_PATH=/usr/local/mysql/include
meson ../pam-MySQL-build
cd ../pam-MySQL
/usr/local/bin/ninja

[1/92] Compiling C object libpam_mysql.so.p/src_session.c.o
FAILED: libpam_mysql.so.p/src_session.c.o
cc -Ilibpam_mysql.so.p -I. -I../pam-MySQL -I/usr/local/mysql/include -fdiagnostics-color=always -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -Wextra -std=c11 -g -DHAVE_CONFIG_H -fPIC -MD -MQ libpam_mysql.so.p/src_session.c.o -MF libpam_mysql.so.p/src_session.c.o.d -o libpam_mysql.so.p/src_session.c.o -c ../pam-MySQL/src/session.c
In file included from ../pam-MySQL/src/session.c:6:0:
../pam-MySQL/src/context.h:6:3: error: unknown type name MYSQL
MYSQL *mysql_hdl;

So, there was a regression in the build process. People noticed. But more people probably noticed the issue that was present before the patch that fixed that and inadvertently caused the regression. shrug.

I have some testing stuff that can help, which I can probably cut & paste into something specific to pam-mysql, but it's designed to test whole servers, so it's using vagrant+virtualbox+ansible+serverspec and that might be a bit much?

@wferi indicates he's got something that proved when the relevant function call dropped out of exports, @NigelCunningham probably has some stuff.

I'd be happy to help, but I guess we need to take stock of what we do have, what the relevant standards are, and so on before trying to implement something.

Thoughts anyone?

PS. Obviously doff our hats to @slimlv to noticing and providing a patch for the build process.

After running, configure, and attempting to run rpmbuild per the INSTALL file, the rpmbuild command fails with a

error: line 5: Unknown tag: Copyright: Freely Distributable

removing that line then causes

error: License field must be present in package: (main package)

As a workaround, simply adding a License field at the top of the spec file corrects the issue

root@netmoon:/home/netmoon/pam-MySQL# ./configure --with-openssl
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking how to print strings... printf
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking for a sed that does not truncate output... /bin/sed
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /usr/bin/x86_64-linux-gnu-ld
checking if the linker (/usr/bin/x86_64-linux-gnu-ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/x86_64-linux-gnu-ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @file support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /bin/dd
checking how to truncate binary pipes... /bin/dd bs=4096 count=1
checking for mt... mt
checking if mt is a manifest tool... no
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/x86_64-linux-gnu-ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ISO C89... (cached) none needed
checking whether gcc understands -c and -o together... (cached) yes
checking dependency style of gcc... (cached) gcc3
checking size of short... 2
checking size of int... 4
checking size of long... 8
checking size of long long... 8
checking size of mode_t... 4
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking for string.h... (cached) yes
checking for strings.h... (cached) yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking for sys/types.h... (cached) yes
checking for sys/stat.h... (cached) yes
checking sys/param.h usability... yes
checking sys/param.h presence... yes
checking for sys/param.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking for unistd.h... (cached) yes
checking stdarg.h usability... yes
checking stdarg.h presence... yes
checking for stdarg.h... yes
checking errno.h usability... yes
checking errno.h presence... yes
checking for errno.h... yes
checking crypt.h usability... yes
checking crypt.h presence... yes
checking for crypt.h... yes
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking for size_t... yes
checking whether ELOOP is declared... yes
checking whether EOVERFLOW is declared... yes
checking for library containing socket... none required
checking for getaddrinfo... yes
checking for crypt in -lcrypt... yes
checking PF_INET6 availability... yes
checking for struct sockaddr_in6... yes
checking for struct in6_addr... yes
checking for gethostbyname_r... yes
checking if gethostbyname_r() is part of glibc... yes
checking if /usr /usr/local /usr/mysql /opt/mysql is a mysql_config script... no
checking mysql_config availability in /usr/bin... yes
checking for mysql_real_query... yes
checking for mysql_real_escape_string... yes
checking for make_scrambled_password_323... no
./configure: line 13867: syntax error near unexpected token openssl,libcrypto,' ./configure: line 13867: PKG_CHECK_MODULES(openssl,libcrypto,'

We're configuring a mail server for which we use pam_mysql to consult the mailbox database managed by postfixadmin to authenticate e-mails. Postfixadmin's encrypted passwords contain a small header that denotes the encryption algorithm within the text of the hash itself. When this header is present, pam_mysql fails to authenticate the password, but when it isn't, authentication succeeds. Postfixadmin checks for this header when logging in, so the easiest way to solve this issue is to specify the SQL query that pam_mysql uses in a way that omits this header. As far as I can tell from the available configuration directives, this is not an option, though the "where" option is similar. Is this a reasonable feature to add?

I think there is some confusion going on, even upstream, regarding these functions that unfortunately have very similar (long) names:
make_scrambled_password()
my_make_scrambled_password()
my_make_scrambled_password_sha1()

This is the current status:
make_scrambled_password(): wrapper for my_make_scrambled_password_sha1(). Produces hex text output.
my_make_scrambled_password(): something entirely different. Produces a non-hexified hash
pam_mysql's my_make_scrambled_password(): seems to mimick upstream's my_make_scrambled_password_sha1()

Bottom line, using upstream's my_make_scrambled_password() with a 42 byte buffer will lead to buffer overflows since it is not the same as my_make_scrambled_password_sha1() or the one reimplemented in pam_mysql.c. Upstream's my_make_scrambled_password() takes a CRYPT_MAX_PASSWORD_SIZE len buffer and does not produce the same type of value that is stored in the table when the PASSWORD() SQL function is used.

I think upstream is nowadays just not exporting the correct function. They should probably export make_scrambled_password() which maps to my_make_scrambled_password_sha1(), but it's messy now. I added a comment to #80974

For pam_mysql, I suggest to use make_scrambled_password() from mysqlclient if it exists, and if not reimplement it as you are doing now, but with the name make_scrambled_password.

Last but not least, even if it weren't for the overflow problem, the authentication will never work because the output of my_make_scrambled_password() will never match the hexified hash stored on the server.

Is there a way to suppress log messages such that all I get in auth.log are fail and success events?

Specifically I would like to get rid of theses:

Oct 9 17:41:03 celaeno saslauthd[53501]: pam_mysql - SELECT returned no result.
Oct 9 17:41:03 celaeno saslauthd[53501]: pam_mysql - SELECT returned no result.
Oct 9 17:41:03 celaeno saslauthd[53501]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module

but keep these:

Oct 9 17:41:03 celaeno saslauthd[53501]: : auth failure: [user=lia.b] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

centos 7
openvpn: OpenVPN 2.4.6

server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log 10
status-version 2
log /var/log/openvpn.log
verb 3
plugin /etc/openvpn/openvpn-plugin-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
reneg-sec 0

client:
client
dev tun0
proto tcp
remote 10.0.12.36 1194
resolv-retry infinite
persist-key
persist-tun
ca ca.crt
nobind
auth-user-pass
reneg-sec 0
auth-nocache
comp-lzo
verb 4

pam for openvpn:
auth required pam_mysql.so user=xxx passwd=xxxx host=localhost db=xxx table=openvpn usercolumn=username passwdcolumn=password where=active=1 crypt=sha1 use_first_pass debug
auth required pam_google_authenticator.so secret=/etc/openvpn/google-auth/${USER} user=root echo_verification_code debug forward_pass no_increment_hotp
account required pam_permit.so debug

on client I user password + google code, failure, logs:
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - option debug is set to ""
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_close_db() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_sm_authenticate() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_open_db() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_open_db() returning 0.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_check_passwd() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_format_string() called
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_quick_escape() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - SELECT password FROM openvpn WHERE username = 'admin' AND (active=1)
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_check_passwd() returning 6.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_sql_log() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_sql_log() returning 0.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_sm_authenticate() returning 7.
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: start of google_authenticator for "admin"
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: "/etc/openvpn/google-auth/admin" read
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: shared secret in "/etc/openvpn/google-auth/admin" processed
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: Invalid verification code for admin
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: "/etc/openvpn/google-auth/admin" written
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_release_ctx() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_destroy_ctx() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_close_db() called.

if I user command like:
pamtester openvpn admin authenticate
Password & verification code: xxxxxxxxx
pamtester: Authentication failure
failure log:
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - option debug is set to ""
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_close_db() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_sm_authenticate() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_open_db() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_open_db() returning 0.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_check_passwd() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_format_string() called
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_quick_escape() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - SELECT password FROM openvpn WHERE username = 'admin' AND (active=1)
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_check_passwd() returning 6.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_sql_log() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_sql_log() returning 0.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_sm_authenticate() returning 7.
Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: start of google_authenticator for "admin"
Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: "/etc/openvpn/google-auth/admin" read
Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: shared secret in "/etc/openvpn/google-auth/admin" processed
Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: no scratch code used from "/etc/openvpn/google-auth/admin"
Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: Accepted google_authenticator for admin
Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: "/etc/openvpn/google-auth/admin" written
Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_release_ctx() called.
Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_destroy_ctx() called.
Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_close_db() called.

if remove auth required pam_mysql.so user......, openvpn is ok for google otp.
how to user username + password & google otp access openvpn ? thx

Hi,
I am using Fedora long time and installed maybe 10mail servers with PAM_MYSQL authentication over SASLauthd

I wanted to make new server on new Fedora 37, same as before. But without success of usage SASL with PAM_mysql

Users are crypted in DB via postfixadmin in MD5CRYPT and password encrypted in MD5RAW as default setting

Dovecot which is not using PAM_mysql is working only PAM_mysql

in SASL with PAM_MYSQL - everytime when user exists, it writes me "size read failed" and SASL deactivate it

There is visible in Journalctl that problem looks be in PAM_MYSQL
error_journal.txt

Hey
Thanks for refactoring pam-MYySQL module.

When I use the new beta1 version, I got this error.

'$1$GcEzthuz$H9PYgAACHdtkxtTSHsYwT0' v '$1$GcEzthuz$H9PYgAACHdtkxtTSHsYwT0' (<= 'sldkjfsdf'). Error = 0.
malloc(): invalid size (unsorted)

The issue does not exist in version 0.8.2

My pam configuration is like this:

    auth required pam_mysql.so user={{ .Values.mysql.user }} passwd={{ .Values.mysql.password }} host={{ .Values.mysql.host }} db={{ .Values.mysql.dbname }} table=users usercolumn=userid passwdcolumn=passwd crypt=1
    account sufficient pam_mysql.so user={{ .Values.mysql.user }} passwd={{ .Values.mysql.password }} host={{ .Values.mysql.host }} db={{ .Values.mysql.dbname }} table=users usercolumn=userid passwdcolumn=passwd crypt=1

The password format I'm using is: (generated with openssl passwd -1)
$1$GcEzthuz$H9PYgAACHdtkxtTSHsYwT0

The my_make_scrambled_password() function is exported by the MySQL client libraries "to provide backwards compatibility with applications that for legacy reasons use undocumented symbols". It isn't declared in the client header files.
See https://bugs.mysql.com/bug.php?id=80974 and https://github.com/jedisct1/pure-ftpd/issues/37 for background. A reimplementation is available as well.

Hi,

with recent versions (0.8.0 on Ubuntu and current git master), I came across an issue with crypt. It looks like this:

saslauthd[1328]: pam_mysql - option verbose is set to "1"
saslauthd[1328]: pam_mysql - pam_mysql_close_db() called.
saslauthd[1328]: pam_mysql - pam_sm_authenticate() called.
saslauthd[1328]: pam_mysql - pam_mysql_open_db() called.
saslauthd[1328]: pam_mysql - pam_mysql_open_db() returning 0.
saslauthd[1328]: pam_mysql - pam_mysql_check_passwd() called.
saslauthd[1328]: pam_mysql - pam_mysql_format_string() called
saslauthd[1328]: pam_mysql - pam_mysql_quick_escape() called.
saslauthd[1328]: pam_mysql - SELECT password FROM account WHERE login = 'myuser'
saslauthd[1328]: pam_mysql - pam_mysql_check_passwd() returning 6.
saslauthd[1328]: pam_mysql - pam_mysql_sql_log() called.
saslauthd[1328]: pam_mysql - pam_mysql_sql_log() returning 0.
saslauthd[1328]: pam_mysql - pam_mysql_converse() called.
saslauthd[1328]: pam_mysql - pam_mysql_open_db() called.
saslauthd[1328]: pam_mysql - pam_mysql_check_passwd() called.
saslauthd[1328]: pam_mysql - pam_mysql_format_string() called
saslauthd[1328]: pam_mysql - pam_mysql_quick_escape() called.
saslauthd[1328]: pam_mysql - SELECT password FROM account WHERE login = 'myuser'
saslauthd[1328]: pam_mysql - something went wrong when invoking crypt() - Invalid argument
saslauthd[1328]: pam_mysql - pam_mysql_check_passwd() returning 6.
saslauthd[1328]: pam_mysql - pam_mysql_sql_log() called.
saslauthd[1328]: pam_mysql - pam_mysql_sql_log() returning 0.
saslauthd[1328]: pam_mysql - pam_sm_authenticate() returning 7.
saslauthd[1328]: DEBUG: auth_pam: pam_authenticate failed: Permission denied
saslauthd[1328]: pam_mysql - pam_mysql_release_ctx() called.
saslauthd[1328]: pam_mysql - pam_mysql_destroy_ctx() called.
saslauthd[1328]: pam_mysql - pam_mysql_close_db() called.

/etc/pam.d/smtp:

auth    sufficient /lib/x86_64-linux-gnu/security/pam_mysql.so host=mysqlhost user=postfix passwd=mypass db=mydb table=account usercolumn=login passwdcolumn=password crypt=1 verbose=1
account required   /lib/x86_64-linux-gnu/security/pam_mysql.so host=mysqlhost user=postfix passwd=mypass db=mydb table=account usercolumn=login passwdcolumn=password crypt=1 verbose=1

We are migrating to newly setup SMTP servers (with newer OSes) and are currently testing. My coworkers were able to authenticate, I wasn't.

Then I noticed something: my crypted password in the DB contained a " character. I re-set the same password in our frontend, so that a different crypt string (without ") was being written to the database, and I was able to authenticate again.

So I guess that crypt() doesn't like row[0] being a string containing " here:

On our old SMTP servers, this issue never occured, so something somewhere (pam_mysql, PAM itself, libc or wherever crypt sits in) has changed at some point, introducing this bug. It's probably not even something you can fix, but you have a better insight and maybe other affected people see this issue.

With Centos 7 and Mariadb, this is the full log in /home/centos/pam-MySQL-build/meson-logs/meson-log.txt

=========================================================

Build started at 2024-01-15T21:36:01.111737
Main binary: /usr/bin/python3
Build Options:
Python system: Linux
The Meson build system
Version: 0.55.1
Source dir: /home/centos/pam-MySQL-master
Build dir: /home/centos/pam-MySQL-build
Build type: native build
None of 'PKG_CONFIG_PATH' are defined in the environment, not changing global flags.
None of 'PKG_CONFIG_PATH' are defined in the environment, not changing global flags.
Project name: pam-mySQL
Project version: 0.9-alpha1
None of 'CC' are defined in the environment, not changing global flags.
None of 'CFLAGS' are defined in the environment, not changing global flags.
None of 'LDFLAGS' are defined in the environment, not changing global flags.
None of 'CPPFLAGS' are defined in the environment, not changing global flags.
None of 'CC_LD' are defined in the environment, not changing global flags.
Sanity testing C compiler: cc
Is cross compiler: False.
None of 'CC_LD' are defined in the environment, not changing global flags.
Sanity check compiler command line: cc /home/centos/pam-MySQL-build/meson-private/sanitycheckc.c -o /home/centos/pam-MySQL-build/meson-private/sanitycheckc.exe -pipe -D_FILE_OFFSET_BITS=64
Sanity check compile stdout:

Sanity check compile stderr:

Running test binary command: /home/centos/pam-MySQL-build/meson-private/sanitycheckc.exe
C compiler for the build machine: cc (gcc 4.8.5 "cc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44)")
C linker for the build machine: cc ld.bfd 2.27-44
None of 'AR' are defined in the environment, not changing global flags.
None of 'CC' are defined in the environment, not changing global flags.
None of 'CFLAGS' are defined in the environment, not changing global flags.
None of 'LDFLAGS' are defined in the environment, not changing global flags.
None of 'CPPFLAGS' are defined in the environment, not changing global flags.
None of 'CC_LD' are defined in the environment, not changing global flags.
Sanity testing C compiler: cc
Is cross compiler: False.
None of 'CC_LD' are defined in the environment, not changing global flags.
Sanity check compiler command line: cc /home/centos/pam-MySQL-build/meson-private/sanitycheckc.c -o /home/centos/pam-MySQL-build/meson-private/sanitycheckc.exe -pipe -D_FILE_OFFSET_BITS=64
Sanity check compile stdout:

Sanity check compile stderr:

Running test binary command: /home/centos/pam-MySQL-build/meson-private/sanitycheckc.exe
C compiler for the host machine: cc (gcc 4.8.5 "cc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44)")
C linker for the host machine: cc ld.bfd 2.27-44
None of 'AR' are defined in the environment, not changing global flags.
Build machine cpu family: x86_64
Build machine cpu: x86_64
Host machine cpu family: x86_64
Host machine cpu: x86_64
Target machine cpu family: x86_64
Target machine cpu: x86_64
Program mysql_config found: YES
Running command: /bin/mysql_config --include
--- stdout ---
-I/usr/include/mysql -I/usr/include/mysql/mysql

--- stderr ---

meson.build:29:2: ERROR: Unknown method "substring" for a string.

It seems most distros will only send out new versions once an official release is made.

Currently, from my testing of pam_mysql now - 0.8.1 only seems to support md5(?) via crypt. From the commit history, I believe using crypt will now also do up to sha512.

It would be good to release this (if working) as v0.8.2 so this improvement can be put out in the distros.