PAM and SingleStoreDB (connection with MySQL Client)

Cleartext Passwords

Typical SingleStoreDB/MySQL users (created and managed with GRANT … IDENTIFIED BY) are managed by the database internally, and do not exist anywhere else on the Linux/Unix system.

When connecting, a MySQL client normally sends a hashed password to the server. However, the input to PAM must be the cleartext password. This is because every password backend (Kerberos, /etc/shadow) uses a different hash, which can only be calculated from the cleartext password. Since 5.5.27, the MySQL client binary has supported sending the password in cleartext.

$ mysql -u steve -h 0 --enable-cleartext-plugin -p

Enter password:

Note that since the password gets sent in cleartext, SSL is strongly recommended! Current Java JDBC clients will actually refuse to connect if a cleartext password is requested without SSL.