Sunday, October 21, 2007

Solaris 10 package for pam_mysql

There are many choices for authentication in the UNIX operating system, and PAM (Pluggable Authentication Modules) gives a flexible and powerful interface to many of them.

Over at http://pam-mysql.sourceforge.net you can download source for a PAM module that allows authentication against MySQL - very handy. At 360is we have a managed email solution that permits virtual domain information to be stored in a MySQL database, and pam-mysql provides a nice method to authenticate IMAP and SMTP sessions against this database.

Faced with rolling this out to many Solaris systems we decided to compile pam-mysql and produce a Sun package of it - you can download it from here. We've only built this on Solaris 10 for i386 so far, but if demand for a Sparc version arises, we can probably build it too.

It's compiled with Sun Studio 11, complete with optimisations, and is linked against MySQL5 from Blastwave. You'll need a couple of packages from Blastwave to satisfy the dependencies (noted in the package) - CSWmysql5rt [mysql5rt] and CSWosslrt [openssl_rt].

A typical usage would be to have Cyrus SASLauthd authenticating against pam. Here's a quick example pam.conf entry for smtp:


smtp auth sufficient pam_mysql.so user=[SQLUSER] passwd=[SQLPASSWD] host=/tmp/mysql.sock db=[SQLDATABASE] table=[SQLTABLE] usercolumn=[SQLFIELD] passwdcolumn=[SQLFIELD] crypt=1 sqllog=0
smtp auth required pam_mysql.so user=[SQLUSER] passwd=[SQLPASSWD] host=/tmp/mysql.sock db=[SQLDATABASE] table=[SQLTABLE] usercolumn=[SQLFIELD] passwdcolumn=[SQLFIELD] crypt=1 sqllog=0
smtp account sufficient pam_mysql.so user=[SQLUSER] passwd=[SQLPASSWD] host=/tmp/mysql.sock db=[SQLDATABASE] table=[SQLTABLE] usercolumn=[SQLFIELD] passwdcolumn=[SQLFIELD] crypt=1 sqllog=0


...replace all the [] with your correct information.

Wednesday, October 10, 2007

Security assessments of Solaris systems

One of the banes of our lives whilst doing vulnerability assessments of Solaris has been finding what process owns a given TCP port that may be listening. On Linux this is easy to establish with a 'netstat -p', but Solaris has always called for the additional lsof package to help out. You could always mess about with pfiles to find the answer, but now somebody has kindly written a wrapper around it and created pcp.

Here's a quick example...


root@web ~ # netstat -an | grep LISTEN
88.111.12.111.80 *.* 0 0 49152 0 LISTEN
127.0.0.1.25 *.* 0 0 49152 0 LISTEN
127.0.0.1.587 *.* 0 0 49152 0 LISTEN
88.111.12.111.22 *.* 0 0 49152 0 LISTEN


During our assessment we spot the open port 587, and we're a little unsure about it. So we run pcp with the '-p' switch and the port number...


root@web ~ # pcp -p 587
PID Process Name and Port
_________________________________________________________
853 /usr/lib/sendmail 587
sockname: AF_INET 127.0.0.1 port: 587
_________________________________________________________



Et voila! It's sendmail with a process ID of 853. So simple.

pcp is a great tool to establish what process owns a listening port, and makes assessing Solaris systems considerably easier!