PAM and SingleStoreDB (connection with MySQL Client)

Cleartext Passwords

Typically, SingleStoreDB users (those users created and managed with GRANT … IDENTIFIED BY) are managed by the database internally, and do not exist anywhere else on the Linux/Unix system.

When connecting, the MySQL client normally sends a hashed password to the server. However, the input to PAM must be the cleartext password as every password back-end (Kerberos, /etc/shadow) uses a different hash, which can only be calculated from the cleartext password. The MySQL client binary has supported sending the password in cleartext since version 5.5.27.

mysql -u steve -h 0 --enable-cleartext-plugin -p

Enter password:

Note that since the password is sent in cleartext, SSL is strongly recommended. Current Java JDBC clients will actually refuse to connect if a cleartext password is requested without SSL.