Configuring PAM Authentication and User Mapping with Unix Authentication
In this article, we will walk through the configuration of PAM authentication using the PAM authentication plugin and user and group mapping with the pam_user_map
PAM module. The primary authentication will be handled by the pam_unix
PAM module, which standard Unix password authentication.
Contents
- Hypothetical Requirements
- Creating Our Unix Users and Groups
- Installing the pam_user_map PAM Module
- Configuring the pam_user_map PAM Module
- Installing the PAM Authentication Plugin
- Configuring the PAM Service
- Configuring the pam_unix PAM Module
- Configuring SELinux
- Creating MariaDB Users
- Testing our Configuration
Hypothetical Requirements
In this walkthrough, we are going to assume the following hypothetical requirements:
- The PAM user
foo
should be mapped to the MariaDB userbar
. (foo: bar
) - Any PAM user in the PAM group
dba
should be mapped to the MariaDB userdba
. (@dba: dba
)
Creating Our Unix Users and Groups
Let's go ahead and create the Unix users and groups that we are using for this hypothetical scenario.
First, let's create the the foo
user and a couple users to go into the dba
group. Note that each of these users needs a password.
sudo useradd foo sudo passwd foo sudo useradd alice sudo passwd alice sudo useradd bob sudo passwd bob
And then let's create our dba
group and add our two users to it:
sudo groupadd dba sudo usermod -a -G dba alice sudo usermod -a -G dba bob
We also need to create PAM users with the same name as the bar
and dba
MariaDB users. See here to read more about why. No one will be logging in as these users, so they do not need passwords.
sudo useradd bar sudo useradd dba -g dba
Installing the pam_user_map PAM Module
Next, let's install the pam_user_map PAM module.
On RHEL/CentOS, we need to install gcc
and pam-devel
:
sudo yum install gcc pam-devel
And then we can build and install the library with the following:
wget https://raw.githubusercontent.com/MariaDB/server/10.4/plugin/auth_pam/mapper/pam_user_map.c gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so sudo install --mode=0755 pam_user_map.so /lib64/security/
Configuring the pam_user_map PAM Module
Next, let's configure the pam_user_map PAM module based on our hypothetical requirements.
The configuration file for the pam_user_map
PAM module is /etc/security/user_map.conf
. Based on our hypothetical requirements, ours would look like:
foo: bar @dba:dba
Installing the PAM Authentication Plugin
Next, let's install the PAM authentication plugin.
Log into the MariaDB Server and execute the following:
INSTALL PLUGIN pam SONAME 'auth_pam';
Configuring the PAM Service
Next, let's configure the PAM service. We will call our service mariadb
, so our PAM service configuration file will be located at /etc/pam.d/mariadb
on most systems.
Since we are only doing Unix authentication with the pam_unix
PAM module and group mapping with the pam_user_map
PAM module, our configuration file would look like this:
auth required pam_unix.so audit auth required pam_user_map.so account required pam_unix.so audit
Configuring the pam_unix PAM Module
The pam_unix
PAM module adds some additional configuration steps on a lot of systems. We basically have to give the user that runs mysqld
access to /etc/shadow
.
If the mysql
user is running mysqld
, then we can do that by executing the following:
sudo groupadd shadow sudo usermod -a -G shadow mysql sudo chown root:shadow /etc/shadow sudo chmod g+r /etc/shadow
The server needs to be restarted for this change to take affect.
Configuring SELinux
If SELinux is enabled on a system, then we also have to disable it. This is usually done by modifying /etc/selinux/config
and then rebooting.
Creating MariaDB Users
Next, let's create the MariaDB users. Remember that our PAM service is called mariadb
.
Next, let's create the MariaDB users for the user mapping: foo: bar
That means that we need to create a bar
user that authenticates with PAM:
CREATE USER 'bar'@'%' IDENTIFIED VIA pam USING 'mariadb';
And then let's create the MariaDB users for the group mapping: @dba: dba
That means that we need to create a dba
user:
CREATE USER 'dba'@'%' ;
And we need to create an anonymous user that is able to PROXY
as the dba
user. Before we can create the proxy user, we might need to clean up some defaults:
DELETE FROM mysql.db WHERE User='' AND Host='%'; FLUSH PRIVILEGES;
And then let's create the anonymous proxy user:
CREATE USER ''@'%' IDENTIFIED VIA pam USING 'mariadb'; GRANT PROXY ON 'dba'@'%' TO ''@'%';
Testing our Configuration
Next, let's test out our configuration.
First, let's test out our foo: bar
user mapping: