MySQL and Percona PAM Authentication with Kerberos
In an ongoing project, I have an environment where users will be authenticating directly with the database.
I did not want to manage the users in the database, as there are too many and password management isn’t something I want to be responsible for.
Fortunately, I have a RHEL (Red Hat Enterprise Linux) 7 environment that relies on kerberos for authentication for user accounts. I thought integrating the Percona PAM plugin with it would be relatively easy… oh, how wrong I was.
There is a package requirement:
yum install pam_krb5.x86_64
Make sure you do a authconfig update after installing the package.
First, we need to make sure kerberos is working correctly:
kinit username
Once you’ve successfully entered your password, you should be able to check the ticket with klist.
If you’ve gotten this far, then the rest is relatively easy.
Create the file /etc/pam.d/mysqld and edit it so this is all it contains:
auth required pam_krb5.so account required pam_krb5.so
Adjust the perms if necessary:
-rw-r--r-- 1 root root 56 Feb 1 14:36 mysqld
Now in mysql, we install our plugin and create our first user (must be the exact same as used in kinit above):
INSTALL PLUGIN auth_pam_compat SONAME 'auth_pam_compat.so'; CREATE USER 'fflintstone'@'localhost' IDENTIFIED WITH auth_pam_compat AS 'mysqld'
Now your user should be able to login:
mysql --enable-cleartext-plugin -u fflintstone -p
If you have problems, you can debug it by adding the debug directive to krb5.conf:
[appdefaults]
pam = {
forwardable = true
validate = true
debug = true
}
With debugging turned on, you now see mysql connection attempts in /var/log/secure.
I’m having a difficult time finding clients that support this without the cleartext, so I recommend implementing SSL if you haven’t already.
Leave a Reply