[patch] Builtin Mysql authentication

Damien Miller djm at mindrot.org
Fri Jun 6 01:10:09 EST 2003


André Luís Quintaes Guimarães wrote:
>     Hi,
>           I would like to propose a patch that authenticates users in a
> mysql database without the use of nss-mysql or pam-mysql.

Thanks, but such a patch is unlikely to be accepted. For a start,
MySQL's LGPL license is contrary to our goal of having BSD or similar
licenses on everything in OpenSSH.

I don't think that per-application patches are the best way to integrate
alternate user lookup / authentication systems.

Also, if we were to accept a ssh-mysql patch then we would probably have
to accept a ssh-pgsql and a ssh-sapdb and maybe a ssh-oracle patch. This
leads to an explosion of optional code which reduces security and
undermines our ability to properly test the software. (we already have
too many options in our code IMO)

>         I have a working patch, such that in case of a failure in getpwnam()
> it searchs for the user in a mysql database and fills his pw password
> struct. Although my actual patch uses pam-mysql to authenticate, I think it
> would be better if all authentication is builtin openssh, eliminating
> entirely the use of pam or nss (which I dont trust).

... and yet you trust MySQL?

My opinions of PAM and NSS are pretty poor, but at least the developers
of those are highly focused on security. I don't recall many recent
security bugs in either of these, but several issues with MySQL.

-d




More information about the openssh-unix-dev mailing list