PAM Authentication
On this page
Background
A Pluggable Authentication Module (PAM) is the AAA (Authentication, Authorization, and Accounting) framework used in most Linux/Unix systems.
Abstractly, PAM provides this basic API:
Inputs:
string username
string password
Output:
bool successAnything that prompts the user for a password (such as sshd, Web server back-ends, and the Linux login console) can query PAM for a login result.
PAM and SingleStore (connection with MySQL Client)
Cleartext Passwords
Typically, SingleStore users (those users created and managed with GRANT … IDENTIFIED BY) are managed by the database internally, and do not exist anywhere else on the Linux/Unix system.
When connecting, the MySQL client normally sends a hashed password to the server./etc/shadow) uses a different hash, which can only be calculated from the cleartext password.
mysql -u steve -h 0 --enable-cleartext-plugin -p
Enter password:Note that since the password is sent in cleartext, SSL is strongly recommended.
GRANT Syntax using PAM
The following example creates a new user, where pam_ is a placeholder for the actual PAM service name to use./etc/pam..pam_ to the actual PAM service name, and not leave it as pam_.
GRANT ALL ON *.* to 'singlestore-db_user'@'127.0.0.1' IDENTIFIED WITH authentication_pam AS 'pam_service';
As most Linux/Unix systems have a PAM service at /etc/pam., there's a straightforward way to test SingleStore and PAM.'steve' database user with the default authentication scheme on the host – and the same password 'steve' uses for SSH.
GRANT ALL ON *.* to 'steve'@'localhost' IDENTIFIED WITH authentication_pam as 'sshd';
Granting permissions to an existing database user via the GRANT command should be done using only the username without the IDENTIFIED WITH clause.
Last modified: July 29, 2024