FUZZauth came to live when I (Jeroen Massar) needed a secure distributed authentication mechanism for the ICS Project. The ICS (Information and Computer Sciences) project was a project which would facilitate the students and tutors of the Hogeschool Rotterdam with a distributed authentication system, providing amongst others shell, web and database services.

As I decided to use a postgreSQL backend I first tried to use pam_pgsql and friends, but the biggest problem of that configuration was the fact that the username&password has to be known by the userland utilities to perform an authentication. Next to that, installing postgresql libraries and allowing all the clients to connect directly to the database with a cleartext connection is simply insane.(Of course one can tunnel it through SSL etc... but yaddayadda...)

What it is (or at least aims to be):

• Secure
• Networked with IPv4 and IPv6 support
• Centralized but with failover
• Easy

What it isn't:

• PAM replacement (though it could be made one if you really want).

The general idea:

The code for FUZZauth was written by Jeroen Massar <jeroen@unfix.org>
The CVS repository is at the SourceForge development networks located in the United States of America.
The copyright for this package is owned by Jeroen Massar <jeroen@unfix.org>
(C)2002-2005 Jeroen Massar <jeroen@unfix.org>
You should have found a copy of the GNU Public License in this archive,located in the 'doc' directory, and it is called LICENSE.

There is a nice mirror setup of websites located at:
http://unfix.org/projects/fuzzauth
and:
http://fuzzauth.sourceforge.net

Information can be found at the SourceForge Project page

Thanks must go out to SourceForge for such excellent development, bugtracking and distribution environment.
The unfix.org pages are mainly there for the integration in my projects section and they are used to create the site at sourceforge.
The latest tarball can be found here.

vi /etc/pam.d/ and add:

8<-----------------------------------------
auth sufficient pam_fuzzauth.so
account sufficient pam_fuzzauth.so
password sufficient pam_fuzzauth.so
session sufficient pam_fuzzauth.so
----------------------------------------->8

You will probably want to put these after stuff like nologin/env/lastlog/motd/mail etc... But before 'required's of pam_unix. Note also that when the deamon doesn't run it returns directly so it should be possible to login into system accounts at any occasion. For password you should add:

8<---------
password sufficient pam_fuzzauth.so
--------->8

And add 'use_first_pass' for the other modules so they won't ask for a password when the user isn't specified by fuzzauth.
/etc/nsswitch is even easier:

8<-----------
passwd: compat fuzzauth
group: compat fuzzauth
----------->8

Which would do the trick. FUZZd is fully nscd compatible and it does save some db queries too ;) Of course don't forget to restart it when you editted the config. The next step is to configure FUZZauth to use the correct authenticator plugin. Don't forget to configure the plugin too so it knows where to find it's data.

Change the PHP_SOURCE value in the Makefile and set it to the root of your PHP source tree. For debian use apt-get source php4 and set it to the dir of the unextracted tarball. Probably any version matching the ZEND_VERSION will do. Compile and install it into the correct directory, then add:

8<------------------------
extension=php_fuzzauth.so
------------------------>8

to php.ini (/etc/php4/apache/php.ini and /etc/php4/cgi/php.ini on debian ;) Now restart your apache or call a php through the cgi edition and check php_info() which should show the FUZZauth version, otherwise check your error logs for hints. Now all your php code can use:
bool fuzzauth_Authenticate(sUsername, sPassword)
bool fuzzauth_ChangePassword(sUsername, sPassword)
bool fuzzauth_UserExists(sUsername)
For example:

<?php
/* FUZZauth - http://unfix.org/projects/fuzzauth & http://fuzzauth.sourceforge.net
* fuzzauth.php - Example FUZZauth functionality with PHP by Jeroen Massar >jeroen@unfix.org>
*/

$name = "fuzzel";
$old = "currentpass";
$new = "newpass";


if (fuzzauth_UserExists($name))
{
echo "User found<br />";
if (fuzzauth_Authenticate($name, $old))
{
         echo "User authenticated correctly with old password<br />";
         if (fuzzauth_ChangePassword($name, $old, $new))
         {
            echo "Password changed succesfully.<br />";
         }
         else echo "Changing password failed.<br />";
      }
      else echo "Authentication failure.<br />";
   }
   else echo "User doesn't exist.<br />";
?>

These are the interfaces used by the system

• libpam_fuzzauth (Pluggable Authentication Modules)
  Authentication & Password management.
• libnss_fuzzauth (Name Service Switch)
  User & group listing, uid->name & name->uid, gid->groupname & groupname->gid.
• telnet
  Telnet to the TCP/IP socket and you will understand it ;)
• PHP plugin
  allows one to do "<?php fuzzauth_Authenticate($user, $password) ?>" etc... ;)

xClient->m_Encryption
- compile time or library based...
Encryptors:

• Plain (always, conversatons, except unixsocket ones, start in this mode)
• Packet
• Packet/SSH
• Packet/SSL

• RRD logging of number of good/failed authentications, requests etc... could be quite fun and entertaining ;)
Localisation with gettext()? not really much to localise now is there... Login time counting with session open/close ;) DDOS protection, don't handle commands for some time and disconnect after X unknown commands, this also takes care of peeped clients. SIGUSR1 dumps status somewhere, could also be implemented as a command ofcourse.
• Make the protocol a RFC ;)