ANN: PyAuthD - beta 3

Heiko Wundram modelnine at ceosg.de
Wed Jun 1 03:03:00 CEST 2005


Hi all!

I've tagged PyAuthD, beta 3 today. This release marks a milestone, as PyAuthD 
has superseded PyPAM and PyNSS (the precursors not implemented on a 
client/server model which are private to my univ) on the mail server which 
hosts our university's student email accounts.

I'm able to release a demo server along with the actual modules (and 
an !untested! Postfix patch to enable PyAuthD to serve Postfix maps) under an 
adapted BSD license.

What is PyAuthD?
----------------

A client/server implementation of a Python authentication daemon. The 
initiative to implement a Python authentication daemon came from the fact 
that MS SQL-Server is used as the backend server for our univ's HIS 
(Hochschul-Informations-System, university information system), and there are 
no proper PAM and NSS modules which can access MS SQL-server (as far as I 
found).

Looking at the winbind sources (of the samba project) taking the step to 
implement short and concise C modules which access a Python daemon which does 
the actual handling wasn't much farfetched.

Currently, PyAuthD offers:

1) PAM authentication
2) NSS handling by dispatching to the server process on get(pw/sp/gr)* 
functions, which foregoes reentrancy issues
3) PPPd authentication which requires the authentication daemon to hand out 
clear-text passwords over the socket
4) Untested Postfix map implementation

This allows unprecedented abilities for authentication purposes by being able 
to program authentication logic in a high-level language under a single 
unified structure.

What is it not?
---------------

A "round" system. PyAuthD is a system that "works for me and my univ" (TM), 
and as such I'm just releasing it (minus the actual authentication part we 
use) for all people out there who want to hack on it just as I do.

On the other hand I don't think that creating a single infrastructure is 
sensible at all, and as such won't spend much time creating any more means to 
access and compile it than I currently do.

If you feel you want to create a distribution or add autoconf/automake 
handling and are willing to spend the time, feel free to contact me!

What about security?
--------------------

Currently PyAuthD will run under standard Python. "Standard Python" does not 
offer security features which enable it to work reliably in a 
multiuser-environment (as there is a requirement that all users can connect 
to it), as Python does not clear memory on releasing it making several 
attacks possible in case users have login-shells on the server.

Furthermore Linux offers the possibility to access process information on the 
connecting process of a Unix-Domain-Socket, but this functionality is not 
exposed in standard Python.

All this has led to the spin-off of a further project also hosted along with 
PyAuthD called SEPython, which aims at improving this situation. SEPython is 
currently based on standard Python 2.4.1, and has implemented the necessary 
recvmsg and sendmsg calls for retrieving process/user information from a unix 
domain socket.

SEPython hasn't implemented clearing of memory yet.

As we don't offer user-login shells on the mail-server which uses PyAuthD, we 
currently don't spend time on SEPython, but this situation will change when 
the mail-server has been fully migrated to the new infrastructure.

If there's interest I'll package my patches on SEPython for inclusion in the 
standard Python tree, but I don't think that platform-dependent patches like 
sendmsg/recvmsg will ever make it into the official tree.

ChangeLog
---------

Please look at the commit log since tag beta-2.

Download
--------

Access using Subversion:

svn co http://svn.asta.mh-hannover.de/svn/repos/PyAuthD/tags/beta-3 PyAuthD

or ViewCVS:

http://svn.asta.mh-hannover.de/viewcvs/PyAuthD/tags/beta-3/

License
-------

PyAuthD as in subversion is released under an adapted BSD-license, except the 
Postfix module, which is released under the Postfix Secure Mailer license.

Contact
-------

Heiko Wundram <modelnine at ceosg.de>
or
Heiko Wundram <modelnine at stud.asta.mh-hannover.de>

-- 
--- Heiko.
listening to: De/Vision - Miss You More
  see you at: http://www.stud.mh-hannover.de/~hwundram/wordpress/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-list/attachments/20050601/53827439/attachment.sig>


More information about the Python-list mailing list