I've been told that each of your MySQL users (esp. root) should have a password. This of course makes sense because anyone can /claim/ to be a particular user ("mysql -u root", for example) and therefore the password is the only way to be sure.

But is it possible to tie MySQL authentication into PAM's system-based authentication capabilities, so that one could only log-in as a certain MySQL user if he had already logged in as a system user of the same name?

I think it is really lame that, after logging in as the root user on my server, I have to provide another password when using mysql/mysqldump commands. Esp. inconvenient for scripting purposes, because I either need to retrieve the password from a config file, or run the scripts manually.

My google research only pulls up articles about using MySQL databases to help with PAM authentication, which is almost the opposite of what I want.

What you think can be achieved is not what PAM does. User accounts in relational databases are just about always separate. Separate on Oracle, separate on mssql etc... This is *NOT* mysql being "lame". When these databases are scaled up it's often the case that the sysadmin is not the dba, and there is no reason whatsoever for the sysadmin to need to get into the data in the database, so you would have separate accounts and abstraction of the services there.

I don't how it matters for scripting, just read it from a file. If that file is only readable by the user account you wish to perform the action as then you do actually have that model you want anyway, just without the need to do anything interesting. Your sql password might be in a file, but that's fine as in order to read it you'd need to become that user, and that eventuality would mean that in your world the same attacker could then log in without any credentials at all. So it's more secure, albeit potentially via obscurity.

All that said, there are mechanisms for external authentication on mysql if you check the documentation. http://blogs.oracle.com/mysql_joro/2...ate_users.html

1 members found this post helpful.

Thanks for the link. It is nice to know that mysql 5.5 does incorporate authentication plugins, though unfortunately all my servers are running 5.1. It seems that in Gentoo at least the mysql 5.5 packages are masked out as alpha and experimental. I'll have to do some more research and find out how dangerous the upgrade process is.

I would urge you to appreciate that that is really new functionality. It's not the normal way things are done and whilst I make it a point to question just about everything I come across in IT, things are generally done the way they are done for good reasons, and fighting against it can put you in a much worse position.

In Oracle, there is (or used to be) the OPS$<account> option, that linked your Oracle acct to your system acct, thus achieving what the OP asked for.
Given that Oracle bought the InnoDB engine a while back, and now 'owns' MySQL, I'm not surprised that this sort of functionality is becoming available.