Ron Peterson

From time to time, I do some work that requires I write some documentation. This is for my own benefit as well as my colleagues, because odds are, given a bit of time, I myself won't recall exactly what I did. Sometimes the work I do may have utility outside of MHC, in which case I've taken a shine to publishing my documentation in Linux Gazette. It's work I have to do anyway, and by doing so, someone else might benefit from the work I did. It's been a while since I did this, but I just published an article on using RSyslog to log to PostgreSQL. If nothing else, this will make it easier for me to find my own documentation when I need it.

I've been whiling away the evening hours writing a set of cryptography functions for PostgreSQL. First in importance, but the last thing I wrote, is a cryptographically strong pseudorandom number generator. I chose to implement the Blum Blum Shub algorithm. My attraction to this algorithm lies in the fact that it is supported by a security proof very similar to that behind the RSA PKCS #1 v2.1 standard, which relates to the difficulty of factoring large integers. This algorithm has been subjected to lengthy and intense scrutiny, and has withstood the test of time. This code is available to use under the terms of the GNU Affero GPL v3.0.

I uploaded a project named PAM Password Escrow to Sourceforge the other night that I've been working on in the evenings over the last few weeks.  There are two parts.  A Linux-PAM auth module captures login credentials entered earlier in the auth stack.  This module then feeds a PostgreSQL database, which uses a pgp/gpg function from the pgcrypto contrib module to save an encrypted version of  the password alongside the username.  The username/password pair is only saved if it is different than the last pair seen.  Recovering the password requires that you have access to the gpg private key, and that you also know the associated passphrase.

The purpose of this application is to enable you to migrate credentials from one system to another.  You could add this to the imap pam stack for a while, say, and after you feel you've collected credentials for a large enough percentage of your user base, you could push the credentials into a new system.