208540 - Add a PAM extension to use unix accounts for authentication

Status: NEW

(Bugzilla :: Extension Ideas, enhancement)

Description

[sheng han]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6

Our group is using bugzilla to track our development issue, this is really a
nice system. thanks guys.

Our local policy force us to change the login password from time to time, hence
its quite difficult to remember different password for different accounts, and
now  comes the bugzilla, we need to remember one more now.

It wouold be nice if we can have a way to use the unix login account password,
which can be achieve by getting it through - ypmatch -  etc.

As I undertand that Bugzilla is using the Mysql's built in password() function.
where unix has different algorithm when doing the encryption part, and they are
quite different. We can do the hacking ourselves, but we don't want it this way
as we would like to upgrade the system as newer version bugzilla will be
available. Thus we are looking for a standard solution.


I think this would has to add a new parameter to the system, where admin of the
system can decide wherether to go with the mysql authentication and account
management or the unix account and password.

secondly, the password would NOT need to go into the database, as Unix OS will
take care of the managerment. Or if its need, then bypass the mysql password()
function, and compare the unix encrypted password with the one store in the
database. 

Then this would requires a script to automaticlly update the user profile for
the password field periodicly like the Apache web server (we have a script that
picks up all valid web user members and get their password/login pair from
yellow page, and update the http dot file for allowed user list).


Many thanks for reading my post, and soory for my poor English.


kind regards,
sheng




Reproducible: Always

Steps to Reproduce:
1.
2.
3.



Expected Results:  
option to use unix password and auto update database when user password changed

Comment 1

[Bradley Baetz (:bbaetz)]

Now that the auth modules are split out, this wouldn't be that hard to do. I
seem to recall seing a bug on using PAM, which would be a more general solution.
Can't find it now, though.

You'd have to be root though, so that you could read /etc/shadow.

Comment 2

[Dave Miller [:justdave]]

I don't think we ever actually had a bug for using PAM, it was just discussed
several times on the newsgroup and irc and such.  That would indeed be the best
solution for this.

Just to point out some myths in the original comment here...
1) Bugzilla does not use MySQL's crypt() for passwords, precisely for that
reason, that it's inconsistent from one platform to the next (and actually
doesn't even work on some platforms).  We use Perl's crypt() routine, which
still may or may not match the crypt used for your password files, depending on
your system.
2) Since you mention ypmatch, do you happen to have the user database available
via LDAP?  Bugzilla's LDAP support has much improved recently, and that would be
an existing way you could tie it in if that avenue is available.

Comment 3

[Jacob Steenhagen]

*** Bug 208914 has been marked as a duplicate of this bug. ***

Comment 4

[mag]

We use pam-ldap for unix and the same LDAP tree for bugzilla, with posixAccount
schema.

See also bug #284506 

Comment 5

[:glob ✱]

we don't need to support this in the core; it should be possible to implement this as an extension using bugzilla's modular auth system.