H
Heiko Wundram
Hi all!
I've tagged PyAuthD, beta 3 today. This release marks a milestone, as PyAuthD
has superseded PyPAM and PyNSS (the precursors not implemented on a
client/server model which are private to my univ) on the mail server which
hosts our university's student email accounts.
I'm able to release a demo server along with the actual modules (and
an !untested! Postfix patch to enable PyAuthD to serve Postfix maps) under an
adapted BSD license.
What is PyAuthD?
----------------
A client/server implementation of a Python authentication daemon. The
initiative to implement a Python authentication daemon came from the fact
that MS SQL-Server is used as the backend server for our univ's HIS
(Hochschul-Informations-System, university information system), and there are
no proper PAM and NSS modules which can access MS SQL-server (as far as I
found).
Looking at the winbind sources (of the samba project) taking the step to
implement short and concise C modules which access a Python daemon which does
the actual handling wasn't much farfetched.
Currently, PyAuthD offers:
1) PAM authentication
2) NSS handling by dispatching to the server process on get(pw/sp/gr)*
functions, which foregoes reentrancy issues
3) PPPd authentication which requires the authentication daemon to hand out
clear-text passwords over the socket
4) Untested Postfix map implementation
This allows unprecedented abilities for authentication purposes by being able
to program authentication logic in a high-level language under a single
unified structure.
What is it not?
---------------
A "round" system. PyAuthD is a system that "works for me and my univ" (TM),
and as such I'm just releasing it (minus the actual authentication part we
use) for all people out there who want to hack on it just as I do.
On the other hand I don't think that creating a single infrastructure is
sensible at all, and as such won't spend much time creating any more means to
access and compile it than I currently do.
If you feel you want to create a distribution or add autoconf/automake
handling and are willing to spend the time, feel free to contact me!
What about security?
--------------------
Currently PyAuthD will run under standard Python. "Standard Python" does not
offer security features which enable it to work reliably in a
multiuser-environment (as there is a requirement that all users can connect
to it), as Python does not clear memory on releasing it making several
attacks possible in case users have login-shells on the server.
Furthermore Linux offers the possibility to access process information on the
connecting process of a Unix-Domain-Socket, but this functionality is not
exposed in standard Python.
All this has led to the spin-off of a further project also hosted along with
PyAuthD called SEPython, which aims at improving this situation. SEPython is
currently based on standard Python 2.4.1, and has implemented the necessary
recvmsg and sendmsg calls for retrieving process/user information from a unix
domain socket.
SEPython hasn't implemented clearing of memory yet.
As we don't offer user-login shells on the mail-server which uses PyAuthD, we
currently don't spend time on SEPython, but this situation will change when
the mail-server has been fully migrated to the new infrastructure.
If there's interest I'll package my patches on SEPython for inclusion in the
standard Python tree, but I don't think that platform-dependent patches like
sendmsg/recvmsg will ever make it into the official tree.
ChangeLog
---------
Please look at the commit log since tag beta-2.
Download
--------
Access using Subversion:
svn co http://svn.asta.mh-hannover.de/svn/repos/PyAuthD/tags/beta-3 PyAuthD
or ViewCVS:
http://svn.asta.mh-hannover.de/viewcvs/PyAuthD/tags/beta-3/
License
-------
PyAuthD as in subversion is released under an adapted BSD-license, except the
Postfix module, which is released under the Postfix Secure Mailer license.
Contact
-------
Heiko Wundram <[email protected]>
or
Heiko Wundram <[email protected]>
--
--- Heiko.
listening to: De/Vision - Miss You More
see you at: http://www.stud.mh-hannover.de/~hwundram/wordpress/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBCnQlHf0bpgh6uVAMRAl6pAJ44MH7bMiCjTrXifa+yFApPKOu4/QCeKCMl
OXc34qlOkrjuI/Sjp4rqUYc=
=llIB
-----END PGP SIGNATURE-----
I've tagged PyAuthD, beta 3 today. This release marks a milestone, as PyAuthD
has superseded PyPAM and PyNSS (the precursors not implemented on a
client/server model which are private to my univ) on the mail server which
hosts our university's student email accounts.
I'm able to release a demo server along with the actual modules (and
an !untested! Postfix patch to enable PyAuthD to serve Postfix maps) under an
adapted BSD license.
What is PyAuthD?
----------------
A client/server implementation of a Python authentication daemon. The
initiative to implement a Python authentication daemon came from the fact
that MS SQL-Server is used as the backend server for our univ's HIS
(Hochschul-Informations-System, university information system), and there are
no proper PAM and NSS modules which can access MS SQL-server (as far as I
found).
Looking at the winbind sources (of the samba project) taking the step to
implement short and concise C modules which access a Python daemon which does
the actual handling wasn't much farfetched.
Currently, PyAuthD offers:
1) PAM authentication
2) NSS handling by dispatching to the server process on get(pw/sp/gr)*
functions, which foregoes reentrancy issues
3) PPPd authentication which requires the authentication daemon to hand out
clear-text passwords over the socket
4) Untested Postfix map implementation
This allows unprecedented abilities for authentication purposes by being able
to program authentication logic in a high-level language under a single
unified structure.
What is it not?
---------------
A "round" system. PyAuthD is a system that "works for me and my univ" (TM),
and as such I'm just releasing it (minus the actual authentication part we
use) for all people out there who want to hack on it just as I do.
On the other hand I don't think that creating a single infrastructure is
sensible at all, and as such won't spend much time creating any more means to
access and compile it than I currently do.
If you feel you want to create a distribution or add autoconf/automake
handling and are willing to spend the time, feel free to contact me!
What about security?
--------------------
Currently PyAuthD will run under standard Python. "Standard Python" does not
offer security features which enable it to work reliably in a
multiuser-environment (as there is a requirement that all users can connect
to it), as Python does not clear memory on releasing it making several
attacks possible in case users have login-shells on the server.
Furthermore Linux offers the possibility to access process information on the
connecting process of a Unix-Domain-Socket, but this functionality is not
exposed in standard Python.
All this has led to the spin-off of a further project also hosted along with
PyAuthD called SEPython, which aims at improving this situation. SEPython is
currently based on standard Python 2.4.1, and has implemented the necessary
recvmsg and sendmsg calls for retrieving process/user information from a unix
domain socket.
SEPython hasn't implemented clearing of memory yet.
As we don't offer user-login shells on the mail-server which uses PyAuthD, we
currently don't spend time on SEPython, but this situation will change when
the mail-server has been fully migrated to the new infrastructure.
If there's interest I'll package my patches on SEPython for inclusion in the
standard Python tree, but I don't think that platform-dependent patches like
sendmsg/recvmsg will ever make it into the official tree.
ChangeLog
---------
Please look at the commit log since tag beta-2.
Download
--------
Access using Subversion:
svn co http://svn.asta.mh-hannover.de/svn/repos/PyAuthD/tags/beta-3 PyAuthD
or ViewCVS:
http://svn.asta.mh-hannover.de/viewcvs/PyAuthD/tags/beta-3/
License
-------
PyAuthD as in subversion is released under an adapted BSD-license, except the
Postfix module, which is released under the Postfix Secure Mailer license.
Contact
-------
Heiko Wundram <[email protected]>
or
Heiko Wundram <[email protected]>
--
--- Heiko.
listening to: De/Vision - Miss You More
see you at: http://www.stud.mh-hannover.de/~hwundram/wordpress/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBCnQlHf0bpgh6uVAMRAl6pAJ44MH7bMiCjTrXifa+yFApPKOu4/QCeKCMl
OXc34qlOkrjuI/Sjp4rqUYc=
=llIB
-----END PGP SIGNATURE-----