If you work with a Debian, an "apt-get install php-yp" should be sufficient to make PHP NIS aware! It should be almost the same with any "rpm" compliant distribution. But your administrator might prefer to compile PHP by himself instead of using packages...

I am not sure either if it will be easier to switch to PAM ! The only way I can see today to achieve such integration is via the simple php pam_auth module you can find here:
http://www.math.ohio-state.edu/~ccunning/pam_auth/

But it might take you time to make it work (and require a new XOOPS module to integrate it smoothly with Xoops). An interesting one to write one of these days

But my main concern is: if you switch to PAM for PHP, you will have to do the same for your IMAP server. That means that all of your users will have to use another login/password, unless you are using the same authentication repository for the pam module and NIS.

What is the EXACT goal you want to achieve ???

Best regards,

Benoit

Hi again Sunita,

You will have to use PAM to authenticate your IMAP users too. Have a look at how your IMAP server can authenticate users. It is really server dependant.

Concerning security: if you are running inside a corporate network with no access to the Internet a NIS server properly configured would be definitively secure enough !!!

But PAM is indeed much powerfull and flexible. The problem is that the PHP pam_auth does not seems to be as flexible (reading the doc - never tried so I might be wrong).

Another remark: if you use PAM and you make your password travel in clear over the network (without HTTPS for XOOPS for instance or with IMAP), you will weaken the security of all your infrastructure. If the authentication repository behind your PAM module is known to be secure, it won't be anymore... Take care of what you are doing and think that the security level is defined by the weakest part of the architecture.

Hope this will help you to make the right choices according to your needs and requirements.

Benoit

Hi Mercibe,

Thanks for that info. I can now understand how critical it is to set a secure system. But right now I don't have enough time to do this.

We have a linux-apache based mail server with over 3000 email users. The username and password is stored in a simple text file. The users are authenticated using IMAP via PAM.

This is my requirement:

1. My XOOPS website mainly has some news of our community and a forum for users to read and post. I need to allow all the 3000+ users who are using the email accounts to login to the forum using the same username/password.

Since implementing the PAM login seems to be complicated and time consuming, I am thinking of simply copying the entire users+password on to the MySql database. I need to know if there is any good software available to do that. I also understand that all the passwords are stored in MD5. So, I might need to convert all my current password encription to MD5. How can I do that?

2. If I am sucessfull in importing the users to the database, is XOOPS stable enough to support such a huge database? What issues I am likely to face?

Although the purpose of modifying the process is mainly to allow access to post in the forum, I am really concerned how I am going to implement this without compromising on security.

Could you pls suggest how I should best approach this. Alternatively, Is there any other free forums available which can easily meet the above requirement?

Thanks for all your help.

Best regards

Hi Sunita,

I understand your requirements better now. But why did you ask for NIS integration if your IMAP server is using PAM to authanticate your users ??? Does the PAM module use NIS as the background authentication mechanism ? If yes, you could simply use the NIS module I provided to you. If not, I don't understand.

Your Requirement 1:
Implementing PAM might be difficult or very simple: I have never tried it before (no time today ). It would be a pity to import your mail users into XOOPS database. What about security, maintenance/synchronisation, password changing, new users, etc. ? Please try to forget about that !

Your requirement 2: Are you kidding ? Today the http://www.xoops.org have more than 20.000 members (https://xoops.org/modules/xoopsmembers/) It is a MySQL behind Xoops, not a Microsoft Access one! But I hope you won't need to test it with your "poor" 3000 users

I think honestly that XOOPS is the right solution for you if we could manage to authenticate users via PAM (we already have XOOPS native, LDAP, Active Directory, NIS and CAS). XOOPS can do much more than just news and forums. You never know what will be your future needs. You could have a look at phpBB (http://www.phpbb.com) but I have some doubt... (search for PAM and Authentication in forums: you will find 2 or 3 questions without answers...)

I will try to implement a PAM module but allow me at least 1 week

Best regards,

Benoit

Hi Benoit,

Glad for all your advice.When I first asked you about NIS, I was not aware how it works and how it is implemented on our server. My administrator advised me to use the PAM module instead to connect to the NIS server. If I am to use the NIS module, would there be any modification to be made to connect thorough PAM? If not, then I will surely give the nis module a try.

But, I am running short of time, so I have managed to copy the text file containing the username and password to the MySQL database. Now I find the password was encryted using encrypt() function not md5 as used in xoops. I then modified all files using md5 to change to crypt()(for php).
I am not sure if I have done right. The get the user login page but it gives me incorrect login error msg. Do you know which files use md5() to check password? Also when I copyied the username and password, I only copied it into xoops_users table in the database. Do I need to change anything else in the database?

Once again thanks for all the advice. After I have set login issue using the import users to database method, I will also try and work on the NIS/PAM module. I know this method of importing the users is not very feasible but due to time constriant I shall use it until a more efficient method. Please help me if you know where I must be making a mistake regarding the database as I mentioned above.

Best regards
Sunita

If I were short in time as you seem to be, I would definitely use the NIS module instead of copying all my users in the XOOPS DB... It seems that the PAM module your administrator adviced you to use is using the NIS server you planned to use. So I do not see any reason to, even temporarly, using directly the NIS server from Xoops.

But I am not you

So to add users manually to xoops, the xoops_users table is the only one needed (don't forget to put a username, a mail address, activate the account, etc. in this table)

You are hacking XOOPS authentication process to add your users. The problem is, I think, that you do not have the clear text password of your users...

Are you sure you are using the good salt with the crypt function? Look at the value of CRYPT_SALT_LENGTH in a PHP script and use the correct salt at every call of the crypt function (see NIS module code if needed )

CRYPT_STD_DES - Standard DES-based encryption with a two character salt

CRYPT_EXT_DES - Extended DES-based encryption with a nine character salt

CRYPT_MD5 - MD5 encryption with a twelve character salt starting with $1$

CRYPT_BLOWFISH - Blowfish encryption with a sixteen character salt starting with $2$

Hope this will help !

Benoit

Hi Benoit,

I decided to drop the idea of copying to XOOPS DB. You are right its much more complex. I cannot use NIS directly, because my administrator believes it should be done at the PAM level only, since it is more secure.

Regarding PAM module, I guess you must have checked this code snippet :
http://www.math.ohio-state.edu/~ccunning/pam_auth/README

Is it possible to create a seperate login page using this code to check the user and then set something to allow the validated user to post to the forum? I hope you get my point. Since I need the login process only to post in the forum, is there any way I could accomplish this without much effort. The above code seems to be fairly simple to implement. Can it also be possible to post in the forum without having to add/update the users to the MySQL database as other authentication methods implemented within XOOPS does.

Also, to make the process of login more secure can the following also be implemented :
- 3 second delay between authentication attempts if failed
- after 3 failed attempts, send user to homepage so that he has to click on the login link again
- write an entry in syslog with username and IP address whenever authentication is failed.

I guess I will have to delay the launch of my site until this issue is resolved. Look forward to your advice and also the PAM module you plan to work on.

Best regards

Hi again,

I managed to authenticate using PAM. I used the NIS script you wrote and modified it using the http://www.math.ohio-state.edu/~ccunning/pam_auth/README as reference. Now I can authenticate correctly.

Could you please clarify few things regarding the authentication module:

1. I understand when to username/password is checked using NIS/LDAP/PAM etc, if correct the username is checked in the XOOPS database. It is then added/updated accordingly. Is it necessary to copy password to the database? I do not want to store the password in the database. If I remove that part of the code, valid users are not being logged in. Is there any solution to this?

2. As mentioned in my previous email, I need to implement a very secure system. What should I edit to do these ?

Quote:

Thanks to you, I have been able to implement a login using PAM. Please help me with the above queries too.

Best regards

Great news and congratulations !

I planned to have a look at this PAM module this weekend...

1. Users, even when authenticated outside of the XOOPS scope, have to be inserted in the XOOPS DB. This is mandatory since a lot of modules/tables reference them by their unique xoops_user table identifier (a good thing). So you are right, almost all authentication modules first authenticate the user via LDAP or AD for instance, insert/update user data in XOOPS and continue the normal XOOPS authentication process. So users are authenticated twice and, you are right, the password (not the password, a hash key only) of the external system is kept in the XOOPS DB. But it is updated at each new user login. This is the only way to allow a mixed authentication: external XOOPS users and XOOPS only users. But this way of doing is NOT mandatory. For the CAS module (strong security), XOOPS do not even receive the password of the user. The page that perform the authentication is a non XOOPS page. So, the CAS realm users are the only ones able to connect to Xoops. But I still have to add them to the XOOPS DB. So I generate a fake password based on the username in the password field. I have even implemented and deployed a mixed CAS and XOOPS authentication module (not published yet on Internet ) that, based on the username (and the fake password algorithm) redirects the user either to the CAS login page or to the XOOPS standard page. The authentication process is splitted in 2 phases: first the user has to enter his login and then his password, either in the CAS page or XOOPS page. This is a complex and powerful module

Conclusion: if you need "mixed authentication" (Xoops+PAM) and do not want to store the "PAM" password in the XOOPS DB, generate a fake one based on the username (using your own function/algoithm). So that the password is kept secret (more or less since XOOPS at one moment in time owns it and YOU could do anything with it...). This is one of the strenghs of mechanisms like CAS. If you do not need mixed authentication (PAM only), you can even modify the code to not authenticate users twice. I suggest you do that in your own separated authentication modules, so that when XOOPS will integrate this hack in a future version you won't have to hack anymore You can always keep the original modules and work/hack on copies with other names.

2. Unless you use a completely externalized authentication process (like CAS) with full SSL (HTTPS) encryption during the login process, you won't have the minimum needed to a more or less secure system. A "very secue system" does not mean a lot of things to me. What about the process of password lost, modification, etc. ? A delay between erroneous failed authentications can only prevent you of brute force password attacks. And this should be implemented by the underlying PAM authentication system, not Xoops.
For syslog use, adapt your code as you like using PHP's syslog functions (http://www.developer.com/lang/php/article.php/3327111)
For redirection to the Homepage, you could use a Session variable to hold the number of failed attempts. At the third one, reset to 0 and redirect to home page.

It would be interesting to have that 2 last possibilities as options for all authentication modules, wouldn't be ?

Best regards,

Benoit

Hello folks,

OK, I'm the 'bad system administrator' whom Sunita was referencing in messages here about plugging in PAM authentication in XOOPS (OK, OK, she never actually wrote that

I've taken over finishing this project because she didn't have the resources to implement the session logging that I asked her to implement (and to reply to another post on the topic, I don't think it can be implemented by tweaking the PAM configuration... yes, it could be clearner to do this by adding the needed code to the pam_auth PHP module, but well, I chose to modify the PHP code at this point).

So I've been hacking into your authentication modules. I've found out that the logoutUser() function might be missing a:

global $xoopsUser;

line so that it can access this object in the code further down:
if (is_object($xoopsUser)) {
...

Seems to me that this test always fails and as a side effect entries are never taken out of the online users table in the DB... or am I misled?

I needed to dig out the current username to build the syslog logout message, so I had to call $xoopsUser->getVar('uname') from within the logoutUser function. It seems that $xoopsUser is always undefined. I'm no object-oriented PHP guru by far, but the 'global' statement made the trick here.

Just for what it's worth.
Greets,
_Alain_