[Maria-discuss] Using SSH keys for authenticating MariaDB users? (pam_ssh module or ed25519)
Hello!
Has anybody successfully set up MariaDB authentication using SSH keys?
I've tried but can't figure out how to get the client part working..
On https://mariadb.com/kb/en/authentication-plugin-pam/ it is stated that using the PAM module one can benefit of the pam_ssh PAM module:
Authentication using SSH keys. See the pam_ssh PAM module.
This got me thinking that it might be possible.
I installed the module in MariaDB, installed the PAM module on the system, configured the MariaDB server part and added a user but then ran into a wall when trying to authenticate. There does not seem to be any way to tell the mariadb client that "send this SSH key to server", it always wants to use a password.
It got me thinking, that since the mariadb client does not seem to support anything else than dialog and password, maybe "Authentication using SSH keys" isn't actually possible yet?
Should the documentation in the wiki be updated a bit to outline what is actually possible now, and what is potentially in the future?
Here are my configs
global_priv user localhost@: {"access":0,"ssl_type":0,"ssl_cipher":"","x509_issuer":"","x509_subject":"","max_questions":0,"max_updates":0,"max_connections":0,"max_user_connections":0,"max_statement_time":0.000000,"plugin":"pam","authentication_string":"mariadb","password_last_changed":1602657078,"password_lifetime":-1,"account_locked":false,"default_role":"","is_role":false}
# mysql -e "show plugins" | grep pam pam ACTIVE AUTHENTICATION auth_pam.so GPL
# cat /etc/mysql/conf.d/pam-ssh.cnf [mariadb] plugin_load_add = auth_pam
# cat /etc/pam.d/mariadb auth required pam_ssh.so audit account required pam_ssh.so audit
On https://mariadb.com/kb/en/authentication-plugin-ed25519/ there is also documentation about the plugin that stores passwords in the ed25519 format. My SSH keys are using ed25519 - can this auth plugin be (mis)used so that I store the public key in the MariaDB user database as a password somehow and then send in as username/password some proof signed by my private key? Thus essentially using SSH keys and the same authentication, but without invoking any SSH?
PS. The die links from the wiki seem a bit outdated. I would recommend linking directly to a source that inherits its contents from fresh Linux distro packages, such as https://manpages.debian.org/unstable/libpam-ssh/pam_ssh.8.en.html or https://manpages.ubuntu.com/manpages/focal/en/man8/pam_ssh.8.html
I have not ever thought about using SSH to authenticate to the DB, but it's a good idea.
Perhaps I will make some time to tinker with it this weekend.
I hope you get it going and write a very short 'how-to' about it!
On Wed, 14 Oct 2020 at 08:43, Otto Kekäläinen otto@kekalainen.net wrote:
PS. The die links from the wiki seem a bit outdated. I would recommend
linking directly to a source that inherits its contents from fresh Linux distro packages, such as https://manpages.debian.org/unstable/libpam-ssh/pam_ssh.8.en.html or https://manpages.ubuntu.com/manpages/focal/en/man8/pam_ssh.8.html
This seems like a good suggestion, anybody object?
I have not ever thought about using SSH to authenticate to the DB, but it's a good idea.
Perhaps I will make some time to tinker with it this weekend.
I hope you get it going and write a very short 'how-to' about it!
No, I am stuck and have not progressed at all, thus I sent the message to the list :)
Seems the KB is misleading here - using SSH keys does not seem to be possible via any method despite what the KB suggests.
I hoped somebody on this list would have known better and showed otherwise.
participants (2)
-
Eric Herman -
Otto Kekäläinen