PAM authentication plugin

You are viewing an old version of this article. View the current version here.

Starting from the version 5.2.10, MariaDB includes PAM authentication plugin. PAM is short for Pluggable authentication modules and is an authentication framework used by Linux, FreeBSD, Solaris, and other operating systems. Note that Windows does not use PAM, and because of that PAM authentication plugin does not work on Windows. But one can use a Windows client to connect to a MariaDB server on Linux or Solaris, for example, that uses PAM authentication plugin.

Installation

This plugin is not loaded by default, you need to install it with

MariaDB [test]> INSTALL PLUGIN pam SONAME 'auth_pam.so';

or by adding --plugin-load=auth_pam.so to the server's command line or to the [mysqld] section in your my.cnf file.

As for all other authentication plugins, to create a user in MariaDB that uses PAM authentication, you use

CREATE USER username@hostname IDENTIFIED VIA pam

or, for example,

GRANT SELECT ON db.* TO serg IDENTIFIED VIA pam

Optionally, you can specify a PAM service name, for example:

CREATE USER test_pam IDENTIFIED VIA pam USING 'mariadb_mtr';

This line (copied verbatim from our test suite) creates a user that needs to be authenticated via PAM, using the service name mariadb_mtr.

If no service name is specified, the plugin will use the default PAM service name "mysql".

PAM Configuration

PAM plugin tells MariaDB to delegate the authentication to the PAM subsystem. How exactly the authentication is performed depends on how PAM was configured. Typically PAM configuration can be found in /etc/pam.d/ or in /etc/pam.conf. The syntax of these configuration files is described in your OS manual, for example, in man pam.d. A minimal example, that we use in our test suite, is

auth            required        pam_mariadb_mtr.so pam_test
account         required        pam_mariadb_mtr.so

This needs to be put in /etc/pam.d/mariadb_mtr — file name must match the name of the PAM service. This simple configuration file instructs PAM subsystem that for successful authentication it is required that pam_mariadb_mtr.so module (our testing pam module) returns a success. And for an account to be valid, it is required that pam_mariadb_mtr.so module returns a success. You can find many other examples in your /etc/pam.d/ directory.

Dialog plugin

PAM authentication uses a dialog client plugin to communicate with the user. This allows MariaDB to support arbitrary complex PAM configurations with regular or one-time passwords, challenge-response, multiple questions, or just about anything else. There is no need to install or enable anything — dialog plugin is loaded by the client library, completely automatically and transparently for the application.

User name mapping

Although PAM modules usually do not do that, PAM may change the a user name in the process of authentication. For example, according to the PAM specification, one may start authenticating as John and end up being authenticated as Jim.

MariaDB PAM authentication plugin fully supports it — the original user name is returned by the SQL function USER(), while the authenticated user name is returned by the SQL function CURRENT_USER(), and it is the latter that defines what privileges are available to a connected user.

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.