全部博文(165)
分类: LINUX
2012-07-06 12:15:34
Because OpenSSH makes use of PAM for authentication, it may be desirable to back users with a pre-existing MySQL database. The following steps will show how to do this. This is yet another authentication option for integrations.
The role of PAM and NSSThere is some confusion as to the role of PAM and NSS. In a nutshell, PAM and NSS perform two related functions:
The important item to note is that authentication is a question of, "Is this who they purport to be?" while name services focus on answering, "What do we know this about this entity?" The confusion comes about because most authentication databases capture both sets of information in one place. To get MySQL to work correctly, both PAM and NSS will need to be configured in slightly different ways.
Pre-requisitesThis document does not cover MySQL installation or configuration, and will assume that the DB is local to the systemconfiguring PAM/NSS. The exact table layout is variable and is not constrained by the PAM/NSS modules, and any pre-existing database can be used. This example will assume a single table is used, defined a little later, for all queries, but a join of multiple tables could be used.
Also, these examples will show the use of aspshellfor the user shell. This assumes P2P or Enterprise Server are installed.
To simplify setup, the following table is used in our example:
create database user_db;The following steps detail the use of yum tools becuase these steps were done on Fedora Code 11. Please make adjustments for systems that are not RPM based, or do not make use ot the toolset.
To install pam_mysql and libnss-mysql:
# yum install pam_mysql # yum install libnss-mysql Configuring NSSBecause improper configuration of PAM can result in denied access to the host system, it is best to start with setting up NSS. The main configuration of NSS is done in two files in/etc. They are /etc/libnss-mysql.cfg and/etc/libnss-mysql-root.cfg. The file defines mappings for mysql queries to NSS functions; the file is pretty self explanatory since all it does is define how to access the database.
Here is an example :
getpwnam SELECT login_name,'x',user_id+'10000',user_id+'10000','Joe User',CONCAT('/home/',login_name),'/bin/aspshell' \At the lowest level, the NSS get* set of functions return structs of database records. The SQL statements help define how the records are returned to NSS. In this example, the following is done per column:
Note that getpwuid is a reverse mapping for username to UID.
Also note, none of the group related functions were defined. They do not need to be defined, as will be evident when/etc/nsswitch.conf is configured. Since the users are not going into a complex group scheme, at least in these examples, there is no need to defer to the DB for this information.
Altering is not sufficient to getting NSS to work. NSS needs to know where to look for certain types of information. To do this, NSS looks to for guidance. In particular, the string "mysql" is added to the passwd and shadow section of the file, but not group:
passwd: files mysqlSince we did not alter group, the group NSS functions will not be used.
The unix id tool can now be used to test the user account:
# grep admin /etc/passwd # id admin uid=10001(some_user) gid=10001 groups=10001It is now time to configure PAM.
Setting up PAMWhile PAM con be configured from one file, it is easier for upkeep if multiple files are used. Because Fedora uses a seperate sshd file to isolate PAM by service, the two files that will be setup are /etc/pam_mysql.conf and/etc/pam.d/sshd.
Here is the content of :
users.host=/opt/aspera/common/mysql/var/run/mysql.sockThe heart of what this file does is configure how connections are made, and also define the mappings for reqiured information from the database columns. For example, "users.password_column=password" tell pam_mysql.so that the column "password" in the table "user" of database "user_db" (defined earlier) is the password column. This should be self evident.
The "users.password_crypt" specifies the type of hash function was used on the user database password entries. "1" is the old-style crypt().
Once this is place, PAM needs to be instructed how to authneticate users. The sshd specific configuration for this is . The output is below, and the details of what is does follows:
#%PAM-1.0To test, do the two following:
The user should be able to log in without a problem
The user should not exist on the system, but a correct password from the database will allow access via aspshell.