Outdated Version

You are viewing an older version of this section. View current production version.

Using MemSQL and PAM min read


Info

This topic does not apply to MemSQL Helios.

Background

A Pluggable Authentication Module (PAM) is the AAA (Authentication, Authorization and Accounting) framework used in most Linux/Unix distributions. Ubuntu, RHEL, Mac OS X, FreeBSD, and NetBSD use PAM for authentication. Most distributions that do not come with PAM can be made to work with PAM.

Abstractly, PAM provides this basic API:

Inputs:
    string username
    string password
Output:
    bool success

Anything that prompts the user for a password (sshd, web server back-ends, the Linux login console) can ask PAM for results. PAM only provides top-level access to a system (whether you can log in at all), not fine-grained access control (which files you can access).

PAM and MemSQL (connection with MySQL Client)

Cleartext Passwords

Typical MemSQL/MySQL users (created and managed with GRANT … IDENTIFIED BY) are managed by the database internally, and do not exist anywhere else on the Linux/Unix system.

When connecting, a MySQL client normally sends a hashed password to the server. However, the input to PAM must be the cleartext password. This is because every password backend (Kerberos, /etc/shadow) uses a different hash, which can only be calculated from the cleartext password. Since 5.5.27, the MySQL client binary has supported sending the password in cleartext.

$ mysql -u steve -h 0 --enable-cleartext-plugin -p

Enter password:

Note that since the password gets sent in cleartext, SSL is strongly recommended! Current Java JDBC clients will actually refuse to connect if a cleartext password is requested without SSL.

GRANT Syntax using PAM

Grant MemSQL privileges using PAM using the following syntax:

memsql> GRANT ALL ON *.* to 'memsql_user'@'127.0.0.1' IDENTIFIED WITH authentication_pam AS 'pam_service';

In the above example, pam_service a placeholder for the actual PAM service name you would like to use. In this example, PAM would look for a config file named /etc/pam.d/pam_service. However, you must change pam_service to the actual service name, do not leave it as pam_service.

Most systems have a PAM service at /etc/pam.d/sshd, so it’s a straightforward way to test MemSQL and PAM:

memsql> GRANT ALL ON *.* to 'steve'@'localhost' IDENTIFIED WITH
authentication_pam as 'sshd';

This should use the default authentication scheme on the system – the same password a user would use for SSH.