For my little lab project I have been trying to get user authentication using a MySQL database up and running. Here is how I did it, including my configuration files:
First of all, SSHD requires a successful user lookup. If it can not find the user on the system, it will not authenticate. Under normal circumstances, SSHD will look in /etc/passwd and/or NIS. So a little tweak is required. Using libnss-mysql, it is possible to find users in a mysql database. My configuration looks like this:
[root@lab-access /etc/pam.d]# cat /etc/nsswitch.conf # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: release/9.1.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $ # group: files mysql group_compat: nis hosts: files dns networks: files passwd: files mysql passwd_compat: nis shells: files mysql services: compat services_compat: nis protocols: files rpc: files
[root@lab-access /usr/local/etc]# cat libnss-mysql.cfg getpwnam SELECT username,'*',uid,gid,pwchange,class,gecos,homedir,shell, \ expire \ FROM users \ WHERE username='%1$s' \ LIMIT 1 getpwuid SELECT username,'*',uid,gid,pwchange,class,gecos,homedir,shell, \ expire \ FROM users \ WHERE uid='%1$u' \ LIMIT 1 getpwent SELECT username,'*',uid,gid,pwchange,class,gecos,homedir,shell, \ expire \ FROM users getgrnam SELECT name,password,gid \ FROM groups \ WHERE name='%1$s' \ LIMIT 1 getgrgid SELECT name,password,gid \ FROM groups \ WHERE gid='%1$u' \ LIMIT 1 getgrent SELECT name,password,gid \ FROM groups memsbygid SELECT username \ FROM grouplist \ WHERE gid='%1$u' gidsbymem SELECT gid \ FROM grouplist \ WHERE username='%1$s' host 172.16.1.1 database lab username nss-ro password ****
[root@lab-access /usr/local/etc]# cat libnss-mysql-root.cfg getpwnam SELECT username,password,uid,gid,pwchange,class,gecos,homedir, \ shell,expire \ FROM users \ WHERE username='%1$s' \ LIMIT 1 getpwuid SELECT username,password,uid,gid,pwchange,class,gecos,homedir, \ shell,expire \ FROM users \ WHERE uid='%1$u' \ LIMIT 1 getpwent SELECT username,password,uid,gid,pwchange,class,gecos,homedir, \ shell,expire \ FROM users username nss-root password **** mysql> show tables; +---------------+ | Tables_in_lab | +---------------+ | grouplist | | groups | | nodes | | users | +---------------+ 4 rows in set (0.00 sec) mysql> describe users; +----------+--------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +----------+--------------+------+-----+---------+----------------+ | username | varchar(16) | NO | UNI | | | | uid | int(11) | NO | PRI | NULL | auto_increment | | gid | int(11) | NO | | 5000 | | | pwchange | int(11) | NO | | 0 | | | class | varchar(64) | NO | | | | | gecos | varchar(128) | NO | | | | | homedir | varchar(255) | NO | | | | | shell | varchar(64) | NO | | /bin/sh | | | password | varchar(34) | NO | | x | | | expire | bigint(20) | NO | | 0 | | +----------+--------------+------+-----+---------+----------------+ 10 rows in set (0.01 sec) mysql> describe groups; +----------+-------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +----------+-------------+------+-----+---------+----------------+ | name | varchar(16) | NO | | | | | password | varchar(34) | NO | | x | | | gid | int(11) | NO | PRI | NULL | auto_increment | +----------+-------------+------+-----+---------+----------------+ 3 rows in set (0.00 sec) mysql> describe grouplist; +----------+----------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +----------+----------+------+-----+---------+----------------+ | rowid | int(11) | NO | PRI | NULL | auto_increment | | gid | int(11) | NO | | 0 | | | username | char(16) | NO | | | | +----------+----------+------+-----+---------+----------------+ 3 rows in set (0.00 sec)
So far so good. The next step is to get user authentication on the Unix system working. To get that done, I modified the /etc/pam.d/sshd file to use pam_mysql:
[root@lab-access /etc/pam.d]# cat sshd # # $FreeBSD: release/9.1.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $ # # PAM configuration for the "sshd" service # auth sufficient pam_mysql.so user=nss-root passwd=**** host=172.16.1.1 db=lab table=users usercolumn=username passwdcolumn=password crypt=1 try_first_pass no_warn password required pam_mysql.so user=nss-root passwd=**** host=172.16.1.1 db=lab table=users usercolumn=username passwdcolumn=password crypt=1 try_first_pass no_warn auth required pam_unix.so try_first_pass no_warn session required pam_permit.so account required pam_unix.so
The last step is to tell FreeRADIUS to use the unix system as primary authentication method. Here is the relevant part of the sites-enabled/default file:
authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pam }
And we’re done!
mysql> select * from users; +----------+------+------+----------+-------+----------+---------+---------+---------------+--------+ | username | uid | gid | pwchange | class | gecos | homedir | shell | password | expire | +----------+------+------+----------+-------+----------+---------+---------+---------------+--------+ | labuser | 5000 | 5000 | 0 | | Lab User | /tmp | /bin/sh | 6oiG7NpgxouYg | 0 | +----------+------+------+----------+-------+----------+---------+---------+---------------+--------+ 1 row in set (0.00 sec)
[root@lab-access ~]# ssh labuser@localhost Password: Last login: Tue Mar 5 22:34:38 2013 from localhost [labuser@lab-access ~]$ ssh 172.16.1.101 labuser@172.16.1.101's password: --- JUNOS 9.3R4.6 built 2013-01-10 00:57:42 UTC labuser@r1>
Yay!