Projects :: FuzzAuth


FUZZauth came to live when I needed a simple but secure distributed authentication mechanism for a project.

As I decided to use a postgreSQL backend I first tried to use pam_pgsql and friends, but the biggest problem of that configuration was the fact that the username&password has to be known by the userland utilities to perform an authentication. Next to that, installing postgresql libraries and allowing all the clients to connect directly to the database with a cleartext connection is simply insane.(Of course one can tunnel it through SSL etc... but yaddayadda...)

What it is (or at least aims to be):
  • Secure
  • Networked with IPv4 and IPv6 support
  • Centralized but with failover
  • Easy

What it isn't:
  • PAM replacement (though it could be made one if you really want).
  • Kerberos
The general idea:
The General idea

Copyright Information

The code for FUZZauth was written by Jeroen Massar <jeroen@massar.ch>
The copyright for this package is owned by Jeroen Massar <jeroen@massar.ch>
(C)2002-2005 Jeroen Massar <jeroen@massar.ch>
You should have found a copy of the GNU Public License in this archive,located in the 'doc' directory, and it is called LICENSE.

Where to get it

The latest tarball can be found here: fuzzauth-2002-02-12.tgz.

Compiling and installing

vi /etc/pam.d/service> and add:
auth sufficient pam_fuzzauth.so
account sufficient pam_fuzzauth.so
password sufficient pam_fuzzauth.so
session sufficient pam_fuzzauth.so
You will probably want to put these after stuff like nologin/env/lastlog/motd/mail etc... But before 'required's of pam_unix. Note also that when the deamon doesn't run it returns directly so it should be possible to login into system accounts at any occasion. For password you should add:
password sufficient pam_fuzzauth.so
And add 'use_first_pass' for the other modules so they won't ask for a password when the user isn't specified by fuzzauth.
/etc/nsswitch is even easier:
passwd: compat fuzzauth
group: compat fuzzauth
Which would do the trick. FUZZd is fully nscd compatible and it does save some db queries too ;) Of course don't forget to restart it when you editted the config. The next step is to configure FUZZauth to use the correct authenticator plugin. Don't forget to configure the plugin too so it knows where to find it's data.

Compiling and installing php_fuzzauth.so

Change the PHP_SOURCE value in the Makefile and set it to the root of your PHP source tree. For debian use apt-get source php4 and set it to the dir of the unextracted tarball. Probably any version matching the ZEND_VERSION will do. Compile and install it into the correct directory, then add:
to php.ini (/etc/php4/apache/php.ini and /etc/php4/cgi/php.ini on debian ;) Now restart your apache or call a php through the cgi edition and check php_info() which should show the FUZZauth version, otherwise check your error logs for hints. Now all your php code can use:
bool fuzzauth_Authenticate(sUsername, sPassword)
bool fuzzauth_ChangePassword(sUsername, sPassword)
bool fuzzauth_UserExists(sUsername)
For example:
/* FUZZauth - http://unfix.org/projects/fuzzauth/
* fuzzauth.php - Example FUZZauth functionality with PHP by Jeroen Massar >jeroen@massar.ch>

$name = "fuzzel";
$old = "currentpass";
$new = "newpass";

if (fuzzauth_UserExists($name)) { echo "User found<br />"; if (fuzzauth_Authenticate($name, $old)) { echo "User authenticated correctly with old password<br />"; if (fuzzauth_ChangePassword($name, $old, $new)) { echo "Password changed succesfully.<br />"; } else echo "Changing password failed.<br />"; } else echo "Authentication failure.<br />"; } else echo "User doesn't exist.<br />"; ?>


These are the interfaces used by the system
  • libpam_fuzzauth (Pluggable Authentication Modules)
    Authentication & Password management.
  • libnss_fuzzauth (Name Service Switch)
    User & group listing, uid->name & name->uid, gid->groupname & groupname->gid.
  • telnet
    Telnet to the TCP/IP socket and you will understand it ;)
  • PHP plugin
    allows one to do "<?php fuzzauth_Authenticate($user, $password) ?>" etc... ;)

Packet Encryptors

- compile time or library based...
  • Plain (always, conversatons, except unixsocket ones, start in this mode)
  • Packet
  • Packet/SSH
  • Packet/SSL