PAM MySQL

Reg_gie · July 30, 2009, 12:07am

Hello,

OS: OpenSuSE 11.0

I’m looking at PAM for the first time and it’s clear that I could really screw something up badly if I make a bad change so I am hoping for some guidance here (to save a lot of heartache).

I want to authenticate users in a MySQL database as well as the normal SSH authentication. The DB contains users that will run SFTP.

Unless I got it wrong this will mean adding to the configuration file /etc/pam.d/ssh and below is the file unchanged. Below that are the changes I imagine are needed.

Could someone please let me know if this is on the right track before I change anything? - my understanding is that I could lock myself out of shelling into the system if I do this wrong.

Unchanged:


#%PAM-1.0                                                                                                          
auth     requisite      pam_nologin.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session

What I would like to do with these changes is allow SSH to do its normal authentication through PAM and if it doesn’t find a match then try authenticating through PAM to the MySQL DB.


#%PAM-1.0
auth     requisite      pam_nologin.so
auth     include        common-auth
auth     required       pam_mysql.so (options added here)

account  include        common-account
account  required       pam_mysql.so (options added here)

password include        common-password
password required       pam_mysql.so (options added here)

session  required       pam_loginuid.so
session  include        common-session
session  required       pam_mysql.so (options added here)

The files included have “required” on their lines. I’m not sure if this is okay or if I need to make adjustments so that I the logic of:
“If the first type of authentication fails the try the second and if the second type fails then return fail.”

Or perhaps better that I do the MySQL authentication first as optional and leave the included files alone which I guess would be like this:


#%PAM-1.0
auth     sufficient     pam_mysql.so (options added here)
auth     requisite      pam_nologin.so
auth     include        common-auth

account  sufficient     pam_mysql.so (options added here)
account  include        common-account

password sufficient     pam_mysql.so (options added here)
password include        common-password

session  sufficient     pam_mysql.so (options added here)
session  required       pam_loginuid.so
session  include        common-session

But I was hoping not to hit the MySQL DB first which is why I was favoring the first way… although now thinking about it this second way seems more practical since I probably won’t have to change include files which I imagine are called from multiple places.

Please, any help towards enlightenment would be very much appreciated.

Cheers!
Reggie.