MySQL and Percona PAM Authentication with Kerberos

In an ongoing project, I have an environment where users will be authenticating directly with the database.

I did not want to manage the users in the database, as there are too many and password management isn’t something I want to be responsible for.

Fortunately, I have a RHEL (Red Hat Enterprise Linux) 7 environment that relies on kerberos for authentication for user accounts. I thought integrating the Percona PAM plugin with it would be relatively easy… oh, how wrong I was.

There is a package requirement:

yum install pam_krb5.x86_64

Make sure you do a authconfig update after installing the package.

First, we need to make sure kerberos is working correctly:

kinit username

Once you’ve successfully entered your password, you should be able to check the ticket with klist.

If you’ve gotten this far, then the rest is relatively easy.

Create the file /etc/pam.d/mysqld and edit it so this is all it contains:

auth required
account required

Adjust the perms if necessary:

-rw-r--r--    1 root root   56 Feb  1 14:36 mysqld

Now in mysql, we install our plugin and create our first user (must be the exact same as used in kinit above):

INSTALL PLUGIN auth_pam_compat SONAME '';
CREATE USER 'fflintstone'@'localhost' IDENTIFIED WITH auth_pam_compat AS 'mysqld'

Now your user should be able to login:

mysql --enable-cleartext-plugin -u fflintstone -p

If you have problems, you can debug it by adding the debug directive to krb5.conf:

  pam = {
   forwardable = true
   validate = true
   debug = true

With debugging turned on, you now see mysql connection attempts in /var/log/secure.

I’m having a difficult time finding clients that support this without the cleartext, so I recommend implementing SSL if you haven’t already.

~ by ityndall on February 5, 2016.

Leave a Reply