Use PAM for MySQL auth? (I.e., password-less MySQL access?)
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Use PAM for MySQL auth? (I.e., password-less MySQL access?)
I've been told that each of your MySQL users (esp. root) should have a password. This of course makes sense because anyone can /claim/ to be a particular user ("mysql -u root", for example) and therefore the password is the only way to be sure.
But is it possible to tie MySQL authentication into PAM's system-based authentication capabilities, so that one could only log-in as a certain MySQL user if he had already logged in as a system user of the same name?
I think it is really lame that, after logging in as the root user on my server, I have to provide another password when using mysql/mysqldump commands. Esp. inconvenient for scripting purposes, because I either need to retrieve the password from a config file, or run the scripts manually.
My google research only pulls up articles about using MySQL databases to help with PAM authentication, which is almost the opposite of what I want.
What you think can be achieved is not what PAM does. User accounts in relational databases are just about always separate. Separate on Oracle, separate on mssql etc... This is *NOT* mysql being "lame". When these databases are scaled up it's often the case that the sysadmin is not the dba, and there is no reason whatsoever for the sysadmin to need to get into the data in the database, so you would have separate accounts and abstraction of the services there.
I don't how it matters for scripting, just read it from a file. If that file is only readable by the user account you wish to perform the action as then you do actually have that model you want anyway, just without the need to do anything interesting. Your sql password might be in a file, but that's fine as in order to read it you'd need to become that user, and that eventuality would mean that in your world the same attacker could then log in without any credentials at all. So it's more secure, albeit potentially via obscurity.
Thanks for the link. It is nice to know that mysql 5.5 does incorporate authentication plugins, though unfortunately all my servers are running 5.1. It seems that in Gentoo at least the mysql 5.5 packages are masked out as alpha and experimental. I'll have to do some more research and find out how dangerous the upgrade process is.
I would urge you to appreciate that that is really new functionality. It's not the normal way things are done and whilst I make it a point to question just about everything I come across in IT, things are generally done the way they are done for good reasons, and fighting against it can put you in a much worse position.
In Oracle, there is (or used to be) the OPS$<account> option, that linked your Oracle acct to your system acct, thus achieving what the OP asked for.
Given that Oracle bought the InnoDB engine a while back, and now 'owns' MySQL, I'm not surprised that this sort of functionality is becoming available.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.