6
:program:`auth_pam` is an authentication plugin that authentication connections
7
using :abbr:`PAM (Pluggable Authentication Module)`.
8
PAM is effectively your current Linux based user security. [1]_
6
:program:`auth_pam` is an authentication plugin that authenticates connections
7
using :abbr:`PAM (Pluggable Authentication Module)`. PAM is effectively your
8
current Linux based user security. This means you can setup Drizzle so that you
9
can use your Linux system username and password to connect. System user and
10
password files are typically stored in files ``/etc/passwd`` and
11
``/etc/shadow``. However, PAM can also be setup to use other sources, such as an
12
LDAP directory, as a user database. All of these options are transparently
13
available to Drizzle via this module.
10
15
.. note:: Unload the :doc:`/plugins/auth_all/index` plugin before using this plugin.
11
16
.. seealso:: :doc:`/administration/authentication`
46
Sorry, there are no examples for this plugin.
52
Most Linux distributions should have PAM configured in a way that it will just
53
work with Drizzle. The default PAM configuration is typically found in
54
:file:`/etc/pam.d/other`. [1]_ However, if you want to specifically configure
55
the way PAM will be used by Drizzle, then put something like the following
56
in :file:`/etc/pam.d/drizzle`:
60
auth required pam_unix.so
61
account required pam_unix.so
63
To enable auth_pam, start Drizzle like:
67
$ sbin/drizzled --plugin-remove=auth_all --plugin-add=auth_pam
69
As an alternative to using command line options, you can enable auth_pam
70
by adding the following to :file:`/etc/drizzle/drizzled.cnf`:
74
plugin-remove=auth_all
77
Then connect to Drizzle like:
81
$ bin/drizzle -P --protocol mysql-plugin-auth
82
Enter password: [Enter your system password here]
84
Welcome to the Drizzle client.. Commands end with ; or \g.
85
Your Drizzle connection id is 3
86
Connection protocol: mysql-plugin-auth
87
Server version: 2011.09.26.2426 Source distribution (drizzle-docs71)
89
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
93
You must use ``--protocol mysql-plugin-auth`` for auth_pam to work. This
94
protocol sends the password in plaintext to Drizzle, which
95
is required for PAM based authentication.
97
Note that you don't need to specify the ``-u`` or ``--user`` argument, since
98
Drizzle will default to using your system username, which is exactly what we
99
want when using auth_pam.
101
.. _auth_pam_security:
106
When using auth_pam, your Drizzle password is sent unencrypted from the client
107
to the server. See :ref:`auth_pam_limitations` for details.
108
Note that this will almost always be your Linux system password too!
110
Arguably, this is not a problem when you are connecting to Drizzle from
111
localhost and sharing your system username and password for Drizzle can
114
.. warning:: Using auth_pam when connecting over a public or insecure network is strongly discouraged!
116
We recommend you disable auth_pam on networked Drizzle servers
117
and instead use the :ref:`auth_schema_plugin` plugin or alternatively
118
the :ref:`auth_ldap_plugin` plugin if you are interested in managing
119
usernames outside of Drizzle.
121
.. _auth_pam_limitations:
126
Most Drizzle authentication plugins will use a challenge-response protocol
127
for authentication. In such schemes the client and the server each compute a
128
hash that they compare with each other. Thanks to this, the password itself is
129
never sent over the network and therefore cannot be seen by an eavesdropping
130
attacker. The auth_pam plugin however needs to use the password in plaintext
131
format. This limitation is due to the typical configuration of PAM. For
132
instance, also when you log in via SSH to your system, the password is sent in
133
plaintext from the client to the server. Of course, in the case of SSH the
134
communication channel itself is encrypted, so it cannot be eavesdropped.
136
Which leads us to the next limitation: the :ref:`drizzle_command_line_client`
137
does not support SSL connections. This means communication between client and server
138
is sent in unencrypted cleartext over the network, including your password.
139
Hopefully a future version of the :ref:`drizzle_command_line_client` will support SSL
140
encrypted connections, making auth_pam authentication more useful.
142
You must use the following parameters to the :ref:`drizzle_command_line_client`
143
to make sure your password is sent in plaintext to the server:
147
$ drizzle -P --protocol mysql-plugin-auth
149
The ``-P`` or ``--password`` switch will make :program:`drizzle` ask for your
150
password interactively. The ``--protocol mysql-plugin-auth`` will use a
151
protocol that sends the password in plaintext.
48
153
.. _auth_pam_authors:
159
:Documentation: Henrik Ingo, Daniel Nichter
55
161
.. _auth_pam_version: