← Back to team overview

maria-discuss team mailing list archive

Using SSH keys for authenticating MariaDB users? (pam_ssh module or ed25519)

 

Hello!

Has anybody successfully set up MariaDB authentication using SSH keys?

I've tried but can't figure out how to get the client part working..

On https://mariadb.com/kb/en/authentication-plugin-pam/ it is stated
that using the PAM module one can benefit of the pam_ssh PAM module:

> Authentication using SSH keys. See the pam_ssh PAM module.

This got me thinking that it might be possible.

I installed the module in MariaDB, installed the PAM module on the
system, configured the MariaDB server part and added a user but then
ran into a wall when trying to authenticate. There does not seem to be
any way to tell the mariadb client that "send this SSH key to server",
it always wants to use a password.

It got me thinking, that since the mariadb client does not seem to
support anything else than dialog and password, maybe "Authentication
using SSH keys" isn't actually possible yet?

Should the documentation in the wiki be updated a bit to outline what
is actually possible now, and what is potentially in the future?


Here are my configs

global_priv user localhost@:
{"access":0,"ssl_type":0,"ssl_cipher":"","x509_issuer":"","x509_subject":"","max_questions":0,"max_updates":0,"max_connections":0,"max_user_connections":0,"max_statement_time":0.000000,"plugin":"pam","authentication_string":"mariadb","password_last_changed":1602657078,"password_lifetime":-1,"account_locked":false,"default_role":"","is_role":false}

# mysql -e "show plugins" | grep pam
pam ACTIVE AUTHENTICATION auth_pam.so GPL

# cat /etc/mysql/conf.d/pam-ssh.cnf
[mariadb]
plugin_load_add = auth_pam

# cat /etc/pam.d/mariadb
auth required pam_ssh.so audit
account required pam_ssh.so audit



On https://mariadb.com/kb/en/authentication-plugin-ed25519/ there is
also documentation about the plugin that stores passwords in the
ed25519 format. My SSH keys are using ed25519 - can this auth plugin
be (mis)used so that I store the public key in the MariaDB user
database as a password somehow and then send in as username/password
some proof signed by my private key? Thus essentially using SSH keys
and the same authentication, but without invoking any SSH?


PS. The die links from the wiki seem a bit outdated. I would recommend
linking directly to a source that inherits its contents from fresh
Linux distro packages, such as
https://manpages.debian.org/unstable/libpam-ssh/pam_ssh.8.en.html or
https://manpages.ubuntu.com/manpages/focal/en/man8/pam_ssh.8.html


Follow ups