PAM pluggable authentication is an extension included in MySQL Enterprise Edition, a commercial product. To learn more about commercial products, see https://www.mysql.com/products/.PAM可插拔身份验证是商业产品MySQL Enterprise Edition中包含的一个扩展。要了解有关商业产品的更多信息,请参阅https://www.mysql.com/products/。
MySQL Enterprise Edition supports an authentication method that enables MySQL Server to use PAM (Pluggable Authentication Modules) to authenticate MySQL users. PAM enables a system to use a standard interface to access various kinds of authentication methods, such as traditional Unix passwords or an LDAP directory.MySQL企业版支持一种身份验证方法,使MySQL服务器能够使用PAM(可插拔身份验证模块)对MySQL用户进行身份验证。PAM使系统能够使用标准接口访问各种身份验证方法,如传统的Unix密码或LDAP目录。
PAM pluggable authentication provides these capabilities:PAM可插拔身份验证提供了以下功能:
External authentication: PAM authentication enables MySQL Server to accept connections from users defined outside the MySQL grant tables and that authenticate using methods supported by PAM.外部身份验证:PAM身份验证使MySQL Server能够接受来自MySQL授权表之外定义的用户的连接,并使用PAM支持的方法进行身份验证。
Proxy user support: PAM authentication can return to MySQL a user name different from the external user name passed by the client program, based on the PAM groups the external user is a member of and the authentication string provided. 代理用户支持:PAM身份验证可以根据外部用户所属的PAM组和提供的身份验证字符串,向MySQL返回与客户端程序传递的外部用户名不同的用户名。This means that the plugin can return the MySQL user that defines the privileges the external PAM-authenticated user should have. For example, an operating sytem user named 这意味着插件可以返回MySQL用户,该用户定义了外部PAM身份验证用户应具有的权限。例如,名为joe can connect and have the privileges of a MySQL user named developer.joe的操作系统用户可以连接并拥有名为developer的MySQL用户的权限。
PAM pluggable authentication has been tested on Linux and macOS.PAM可插拔身份验证已在Linux和macOS上进行了测试。
The following table shows the plugin and library file names. The file name suffix might differ on your system. The file must be located in the directory named by the 下表显示了插件和库文件名。文件名后缀可能因系统而异。文件必须位于plugin_dir system variable. plugin_dir系统变量命名的目录中。For installation information, see Installing PAM Pluggable Authentication.有关安装信息,请参阅安装PAM可插拔身份验证。
Table 6.16 Plugin and Library Names for PAM AuthenticationPAM身份验证的插件和库名称
authentication_pam |
|
mysql_clear_password |
|
authentication_pam.so |
The client-side 与服务器端PAM插件通信的客户端mysql_clear_password cleartext plugin that communicates with the server-side PAM plugin is built into the libmysqlclient client library and is included in all distributions, including community distributions. mysql_clear_password明文插件内置于libmysqlclient客户端库中,并包含在所有发行版中,包括社区发行版。Inclusion of the client-side cleartext plugin in all MySQL distributions enables clients from any distribution to connect to a server that has the server-side PAM plugin loaded.在所有MySQL发行版中包含客户端明文插件,使来自任何发行版的客户端都可以连接到加载了服务器端PAM插件的服务器。
The following sections provide installation and usage information specific to PAM pluggable authentication:以下部分提供了特定于PAM可插拔身份验证的安装和使用信息:
How PAM Authentication of MySQL Users WorksMySQL用户的PAM身份验证是如何工作的
PAM Unix Password Authentication without Proxy UsersPAM Unix密码验证,无需代理用户
PAM LDAP Authentication without Proxy Users无代理用户的PAM LDAP身份验证
PAM Unix Password Authentication with Proxy Users and Group MappingPAM Unix密码验证与代理用户和组映射
PAM Authentication Access to Unix Password StorePAM身份验证访问Unix密码存储
For general information about pluggable authentication in MySQL, see Section 6.2.17, “Pluggable Authentication”. For information about the 有关MySQL中可插拔身份验证的一般信息,请参阅第6.2.17节,“可插拔身份认证”。有关mysql_clear_password插件的信息,请参阅第6.4.1.4节,“客户端明文可插拔身份验证”。有关代理用户信息,请参阅第6.2.18节,“代理用户”。mysql_clear_password plugin, see Section 6.4.1.4, “Client-Side Cleartext Pluggable Authentication”. For proxy user information, see Section 6.2.18, “Proxy Users”.
This section provides a general overview of how MySQL and PAM work together to authenticate MySQL users. For examples showing how to set up MySQL accounts to use specific PAM services, see Using PAM Pluggable Authentication.本节概述了MySQL和PAM如何协同工作以对MySQL用户进行身份验证。有关如何设置MySQL帐户以使用特定PAM服务的示例,请参阅使用PAM可插拔身份验证。
The client program and the server communicate, with the client sending to the server the client user name (the operating system user name by default) and password:客户端程序和服务器通信,客户端向服务器发送客户端用户名(默认为操作系统用户名)和密码:
The client user name is the external user name.客户端用户名是外部用户名。
For accounts that use the PAM server-side authentication plugin, the corresponding client-side plugin is 对于使用PAM服务器端身份验证插件的帐户,相应的客户端插件是mysql_clear_password. mysql_clear_password。This client-side plugin performs no password hashing, with the result that the client sends the password to the server as cleartext.此客户端插件不执行密码哈希,结果客户端将密码以明文形式发送到服务器。
The server finds a matching MySQL account based on the external user name and the host from which the client connects. 服务器根据外部用户名和客户端连接的主机找到匹配的MySQL帐户。The PAM plugin uses the information passed to it by MySQL Server (such as user name, host name, password, and authentication string). When you define a MySQL account that authenticates using PAM, the authentication string contains:PAM插件使用MySQL服务器传递给它的信息(如用户名、主机名、密码和身份验证字符串)。当您定义一个使用PAM进行身份验证的MySQL帐户时,身份验证字符串包含:
A PAM service name, which is a name that the system administrator can use to refer to an authentication method for a particular application. PAM服务名称,系统管理员可以使用该名称来指代特定应用程序的身份验证方法。There can be multiple applications associated with a single database server instance, so the choice of service name is left to the SQL application developer.可以有多个应用程序与单个数据库服务器实例相关联,因此服务名称的选择留给SQL应用程序开发人员。
Optionally, if proxying is to be used, a mapping from PAM groups to MySQL user names.如果要使用代理,则可以选择从PAM组到MySQL用户名的映射。
The plugin uses the PAM service named in the authentication string to check the user credentials and returns 该插件使用身份验证字符串中命名的PAM服务来检查用户凭据,并返回“身份验证成功,用户名为user_name”或“身份验证失败”。'Authentication succeeded, Username is or user_name''Authentication failed'. The password must be appropriate for the password store used by the PAM service. Examples:密码必须适合PAM服务使用的密码存储。示例:
For traditional Unix passwords, the service looks up passwords stored in the 对于传统的Unix密码,该服务会查找存储在/etc/shadow file./etc/shadow文件中的密码。
For LDAP, the service looks up passwords stored in an LDAP directory.对于LDAP,该服务会查找存储在LDAP目录中的密码。
If the credentials check fails, the server refuses the connection.如果凭据检查失败,服务器将拒绝连接。
Otherwise, the authentication string indicates whether proxying occurs. If the string contains no PAM group mapping, proxying does not occur. In this case, the MySQL user name is the same as the external user name.否则,身份验证字符串指示是否发生代理。如果字符串不包含PAM组映射,则不会发生代理。在这种情况下,MySQL用户名与外部用户名相同。
Otherwise, proxying is indicated based on the PAM group mapping, with the MySQL user name determined based on the first matching group in the mapping list. The meaning of “PAM group” depends on the PAM service. Examples:否则,根据PAM组映射指示代理,MySQL用户名根据映射列表中的第一个匹配组确定。“PAM组”的含义取决于PAM服务。示例:
For traditional Unix passwords, groups are Unix groups defined in the 对于传统的Unix密码,组是在/etc/group file, possibly supplemented with additional PAM information in a file such as /etc/security/group.conf./etc/group文件中定义的Unix组,可能会在/etc/security/group.conf等文件中补充额外的PAM信息。
For LDAP, groups are LDAP groups defined in an LDAP directory.对于LDAP,组是在LDAP目录中定义的LDAP组。
If the proxy user (the external user) has the 如果代理用户(外部用户)对被代理的MySQL用户名具有PROXY privilege for the proxied MySQL user name, proxying occurs, with the proxy user assuming the privileges of the proxied user.PROXY权限,则会发生代理,代理用户将承担被代理用户的权限。
This section describes how to install the PAM authentication plugin. 本节介绍如何安装PAM身份验证插件。For general information about installing plugins, see Section 5.6.1, “Installing and Uninstalling Plugins”.有关安装插件的一般信息,请参阅第5.6.1节,“安装和卸载插件”。
To be usable by the server, the plugin library file must be located in the MySQL plugin directory (the directory named by the 为了让服务器使用,插件库文件必须位于MySQL插件目录(由plugin_dir system variable). plugin_dir系统变量命名的目录)中。If necessary, configure the plugin directory location by setting the value of 如有必要,在服务器启动时通过设置plugin_dir at server startup.plugin_dir的值来配置插件目录位置。
The plugin library file base name is 插件库文件的基本名称是authentication_pam. The file name suffix differs per platform (for example, .so for Unix and Unix-like systems, .dll for Windows).authentication_pam。文件名后缀因平台而异(例如,用于Unix和类Unix系统的.so,用于Windows的.dll)。
To load the plugin at server startup, use the 要在服务器启动时加载插件,请使用--plugin-load-add option to name the library file that contains it. --plugin-load-add选项命名包含它的库文件。With this plugin-loading method, the option must be given each time the server starts. 使用此插件加载方法,每次服务器启动时都必须给出该选项。For example, put these lines in the server 例如,将这些行放入服务器my.cnf file, adjusting the .so suffix for your platform as necessary:my.cnf文件中,根据需要调整您的平台的.so后缀:
[mysqld] plugin-load-add=authentication_pam.so
After modifying 修改my.cnf, restart the server to cause the new settings to take effect.my.cnf后,重新启动服务器以使新设置生效。
Alternatively, to load the plugin at runtime, use this statement, adjusting the 或者,要在运行时加载插件,请使用以下语句,根据需要调整您的平台的.so suffix for your platform as necessary:.so后缀:
INSTALL PLUGIN authentication_pam SONAME 'authentication_pam.so';
INSTALL PLUGIN loads the plugin immediately, and also registers it in the mysql.plugins system table to cause the server to load it for each subsequent normal startup without the need for --plugin-load-add.INSTALL PLUGIN会立即加载插件,并将其注册到mysql.plugins系统表中,以便服务器在每次后续正常启动时加载它,而不需要--plugin-load-ad。
To verify plugin installation, examine the 要验证插件安装,请检查INFORMATION_SCHEMA.PLUGINS table or use the SHOW PLUGINS statement (see Section 5.6.2, “Obtaining Server Plugin Information”). For example:INFORMATION_SCHEMA.PLUGINS表或使用SHOW PLUGINS语句(请参阅第5.6.2节,“获取服务器插件信息”)。例如:
mysql>SELECT PLUGIN_NAME, PLUGIN_STATUSFROM INFORMATION_SCHEMA.PLUGINSWHERE PLUGIN_NAME LIKE '%pam%';+--------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +--------------------+---------------+ | authentication_pam | ACTIVE | +--------------------+---------------+
If the plugin fails to initialize, check the server error log for diagnostic messages.如果插件初始化失败,请检查服务器错误日志中的诊断消息。
To associate MySQL accounts with the PAM plugin, see Using PAM Pluggable Authentication.要将MySQL帐户与PAM插件相关联,请参阅使用PAM可插拔身份验证。
The method used to uninstall the PAM authentication plugin depends on how you installed it:卸载PAM身份验证插件的方法取决于您的安装方式:
If you installed the plugin at server startup using a 如果您在服务器启动时使用--plugin-load-add option, restart the server without the option.--plugin-load-add选项安装了插件,请在不使用该选项的情况下重新启动服务器。
If you installed the plugin at runtime using an 如果您在运行时使用INSTALL PLUGIN statement, it remains installed across server restarts. INSTALL PLUGIN语句安装了插件,则它在服务器重新启动时仍会安装。To uninstall it, use 要卸载它,请使用UNINSTALL PLUGIN:UNINSTALL PLUGIN:
UNINSTALL PLUGIN authentication_pam;
This section describes in general terms how to use the PAM authentication plugin to connect from MySQL client programs to the server. The following sections provide instructions for using PAM authentication in specific ways. 本节概述了如何使用PAM身份验证插件从MySQL客户端程序连接到服务器。以下部分提供了以特定方式使用PAM身份验证的说明。It is assumed that the server is running with the server-side PAM plugin enabled, as described in Installing PAM Pluggable Authentication.假设服务器在启用服务器端PAM插件的情况下运行,如安装PAM可插拔身份验证中所述。
To refer to the PAM authentication plugin in the 要在IDENTIFIED WITH clause of a CREATE USER statement, use the name authentication_pam. For example:CREATE USER语句的IDENTIFIED WITH子句中引用PAM身份验证插件,请使用名称authentication_pam。例如:
CREATE USERuserIDENTIFIED WITH authentication_pam AS 'auth_string';
The authentication string specifies the following types of information:身份验证字符串指定以下类型的信息:
The PAM service name (see How PAM Authentication of MySQL Users Works). PAM服务名称(请参阅MySQL用户的PAM身份验证工作原理)。Examples in the following discussion use a service name of 以下讨论中的示例使用mysql-unix for authentication using traditional Unix passwords, and mysql-ldap for authentication using LDAP.mysql-unix的服务名称进行使用传统unix密码的身份验证,使用mysql-ldap进行使用ldap的身份验证。
For proxy support, PAM provides a way for a PAM module to return to the server a MySQL user name other than the external user name passed by the client program when it connects to the server. 对于代理支持,PAM为PAM模块提供了一种方法,使其在连接到服务器时向服务器返回MySQL用户名,而不是客户端程序传递的外部用户名。Use the authentication string to control the mapping from external user names to MySQL user names. If you want to take advantage of proxy user capabilities, the authentication string must include this kind of mapping.使用身份验证字符串来控制从外部用户名到MySQL用户名的映射。如果你想利用代理用户功能,身份验证字符串必须包括这种映射。
For example, if an account uses the 例如,如果一个帐户使用mysql-unix PAM service name and should map operating system users in the root and users PAM groups to the developer and data_entry MySQL users, respectively, use a statement like this:mysql-unixPAM服务名称,并且应该将root和usersPaM组中的操作系统用户分别映射到developer和data_entryMySQL用户,请使用这样的语句:
CREATE USER user
IDENTIFIED WITH authentication_pam
AS 'mysql-unix, root=developer, users=data_entry';
Authentication string syntax for the PAM authentication plugin follows these rules:PAM身份验证插件的身份验证字符串语法遵循以下规则:
The string consists of a PAM service name, optionally followed by a PAM group mapping list consisting of one or more keyword/value pairs each specifying a PAM group name and a MySQL user name:该字符串由一个PAM服务名称组成,后面可选地是一个PAM组映射列表,该列表由一个或多个关键字/值对组成,每个对指定一个PAM组名和一个MySQL用户名:
pam_service_name[,pam_group_name=mysql_user_name]...
The plugin parses the authentication string for each connection attempt that uses the account. 该插件解析使用该帐户的每次连接尝试的身份验证字符串。To minimize overhead, keep the string as short as possible.为了尽量减少开销,请保持字符串尽可能短。
Each 每个pam_group_name=mysql_user_namepam_group_name=mysql_user_name对前面都必须加逗号。
Leading and trailing spaces not inside double quotation marks are ignored.不在双引号内的前导和尾随空格将被忽略。
Unquoted 未加引号的pam_service_name, pam_group_name, and mysql_user_name values can contain anything except equal sign, comma, or space.pam_service_name、pam_group_name和mysql_user_name值可以包含除等号、逗号或空格以外的任何内容。
If a 如果pam_service_name, pam_group_name, or mysql_user_name value is quoted with double quotation marks, everything between the quotation marks is part of the value. pam_service_name、pam_group_name或mysql_user_name值用双引号括起来,则引号之间的所有内容都是该值的一部分。This is necessary, for example, if the value contains space characters. All characters are legal except double quotation mark and backslash (例如,如果值包含空格字符,则这是必要的。除双引号和反斜杠(\). \)外,所有字符都是合法的。To include either character, escape it with a backslash.要包含任一字符,请用反斜杠转义。
If the plugin successfully authenticates the external user name (the name passed by the client), it looks for a PAM group mapping list in the authentication string and, if present, uses it to return a different MySQL user name to the MySQL server based on which PAM groups the external user is a member of:如果插件成功验证了外部用户名(客户端传递的名称),它将在身份验证字符串中查找PAM组映射列表,如果存在,则使用它根据外部用户所属的PAM组向MySQL服务器返回不同的MySQL用户名:
If the authentication string contains no PAM group mapping list, the plugin returns the external name.如果身份验证字符串不包含PAM组映射列表,则插件将返回外部名称。
If the authentication string does contain a PAM group mapping list, the plugin examines each 如果身份验证字符串确实包含PAM组映射列表,则插件会从左到右检查列表中的每个pam_group_name=mysql_user_namepam_group_name value in a non-MySQL directory of the groups assigned to the authenticated user and returns mysql_user_name for the first match it finds. pam_group_name=mysql_user_name对,并尝试在分配给经过身份验证的用户的组的非mysql目录中找到pam_group_name值的匹配项,并为找到的第一个匹配项返回mysql_user_name。If the plugin finds no match for any PAM group, it returns the external name. If the plugin is not capable of looking up a group in a directory, it ignores the PAM group mapping list and returns the external name.如果插件找不到任何PAM组的匹配项,则返回外部名称。如果插件无法在目录中查找组,它将忽略PAM组映射列表并返回外部名称。
The following sections describe how to set up several authentication scenarios that use the PAM authentication plugin:以下部分描述了如何设置使用PAM身份验证插件的几个身份验证场景:
No proxy users. This uses PAM only to check login names and passwords. Every external user permitted to connect to MySQL Server should have a matching MySQL account that is defined to use PAM authentication. 没有代理用户。这仅使用PAM来检查登录名和密码。每个被允许连接到MySQL服务器的外部用户都应该有一个匹配的MySQL帐户,该帐户被定义为使用PAM身份验证。(For a MySQL account of (对于' to match the external user, user_name'@'host_name'user_name must be the external user name and host_name must match the host from which the client connects.) 'user_name'@'host_name'的MySQL帐户,要与外部用户匹配,user_name必须是外部用户名,host_name必须与客户端连接的主机匹配。)Authentication can be performed by various PAM-supported methods. Later discussion shows how to authenticate client credentials using traditional Unix passwords, and passwords in LDAP.身份验证可以通过各种PAM支持的方法执行。稍后的讨论将展示如何使用传统的Unix密码和LDAP中的密码对客户端凭据进行身份验证。
PAM authentication, when not done through proxy users or PAM groups, requires the MySQL user name to be same as the operating system user name. 当不是通过代理用户或PAM组进行PAM身份验证时,要求MySQL用户名与操作系统用户名相同。MySQL user names are limited to 32 characters (see Section 6.2.3, “Grant Tables”), which limits PAM nonproxy authentication to Unix accounts with names of at most 32 characters.MySQL用户名限制为32个字符(参阅第6.2.3节,“授权表”),这将PAM非代理身份验证限制为名称最多为32个字的Unix帐户。
Proxy users only, with PAM group mapping. For this scenario, create one or more MySQL accounts that define different sets of privileges. (Ideally, nobody should connect using those accounts directly.) 仅限代理用户,具有PAM组映射。对于这种情况,创建一个或多个MySQL帐户,定义不同的权限集。(理想情况下,任何人都不应该直接使用这些帐户进行连接。)Then define a default user authenticating through PAM that uses some mapping scheme (usually based on the external PAM groups the users are members of) to map all the external user names to the few MySQL accounts holding the privilege sets. 然后定义一个通过PAM进行身份验证的默认用户,该PAM使用某种映射方案(通常基于用户所属的外部PAM组)将所有外部用户名映射到持有特权集的少数MySQL帐户。Any client who connects and specifies an external user name as the client user name is mapped to one of the MySQL accounts and uses its privileges. The discussion shows how to set this up using traditional Unix passwords, but other PAM methods such as LDAP could be used instead.任何连接并指定外部用户名作为客户端用户名的客户端都会映射到MySQL帐户之一并使用其权限。讨论显示了如何使用传统的Unix密码进行设置,但也可以使用LDAP等其他PAM方法。
Variations on these scenarios are possible:这些情况可能会有变化:
You can permit some users to log in directly (without proxying) but require others to connect through proxy accounts.您可以允许一些用户直接登录(无需代理),但要求其他用户通过代理帐户连接。
You can use one PAM authentication method for some users, and another method for other users, by using differing PAM service names among your PAM-authenticated accounts. 通过在经过PAM身份验证的帐户中使用不同的PAM服务名称,您可以对某些用户使用一种PAM身份验证方法,对其他用户使用另一种方法。For example, you can use the 例如,您可以为某些用户使用mysql-unix PAM service for some users, and mysql-ldap for others.mysql-unixPAM服务,为其他用户使用mysql-ldap服务。
The examples make the following assumptions. You might need to make some adjustments if your system is set up differently.这些例子做出了以下假设。如果您的系统设置不同,您可能需要进行一些调整。
The login name and password are 登录名和密码分别是antonio and antonio_password, respectively. Change these to correspond to the user you want to authenticate.antonio和antonio_password。将这些更改为与要进行身份验证的用户相对应。
The PAM configuration directory is PAM配置目录是/etc/pam.d./etc/pam.d。
The PAM service name corresponds to the authentication method (PAM服务名称对应于身份验证方法(本文中为mysql-unix or mysql-ldap in this discussion). To use a given PAM service, mysql-unix或mysql-ldap)。为了使用给定的PAM服务,you must set up a PAM file with the same name in the PAM configuration directory (creating the file if it does not exist). 您必须在PAM配置目录中设置一个同名的PAM文件(如果不存在,则创建该文件)。In addition, you must name the PAM service in the authentication string of the 此外,对于使用PAM服务进行身份验证的任何帐户,您必须在CREATE USER statement for any account that authenticates using that PAM service.CREATE USER语句的身份验证字符串中为PAM服务命名。
The PAM authentication plugin checks at initialization time whether the PAM身份验证插件在初始化时检查服务器的启动环境中是否设置了AUTHENTICATION_PAM_LOG environment value is set in the server's startup environment.AUTHENTITION_PAM_LOG环境值。 If so, the plugin enables logging of diagnostic messages to the standard output. Depending on how your server is started, the message might appear on the console or in the error log. 如果是这样,该插件允许将诊断消息记录到标准输出中。根据服务器的启动方式,该消息可能会出现在控制台或错误日志中。These messages can be helpful for debugging PAM-related issues that occur when the plugin performs authentication. 这些消息有助于调试插件执行身份验证时出现的PAM相关问题。For more information, see PAM Authentication Debugging.有关更多信息,请参阅PAM身份验证调试。
This authentication scenario uses PAM to check external users defined in terms of operating system user names and Unix passwords, without proxying. Every such external user permitted to connect to MySQL Server should have a matching MySQL account that is defined to use PAM authentication through traditional Unix password store.此身份验证场景使用PAM检查根据操作系统用户名和Unix密码定义的外部用户,而无需代理。每个被允许连接到MySQL服务器的外部用户都应该有一个匹配的MySQL帐户,该帐户被定义为通过传统的Unix密码存储使用PAM身份验证。
Traditional Unix passwords are checked using the 使用/etc/shadow文件检查传统的Unix密码。/etc/shadow file. For information regarding possible issues related to this file, see PAM Authentication Access to Unix Password Store.有关此文件可能存在的问题的信息,请参阅PAM身份验证访问Unix密码存储。
Verify that Unix authentication permits logins to the operating system with the user name 验证Unix身份验证是否允许使用用户名antonio and password antonio_password.antonio和密码antonio_password登录操作系统。
Set up PAM to authenticate MySQL connections using traditional Unix passwords by creating a 通过创建名为mysql-unix PAM service file named /etc/pam.d/mysql-unix. /etc/pam.d/mysql-unix的MySQL-unixPAM服务文件,设置PAM以使用传统Unix密码对MySQL连接进行身份验证。The file contents are system dependent, so check existing login-related files in the 文件内容取决于系统,因此请检查/etc/pam.d directory to see what they look like. On Linux, the mysql-unix file might look like this:/etc/pam.d目录中现有的与登录相关的文件,看看它们是什么样子的。在Linux上,mysql-unix文件可能看起来像这样:
#%PAM-1.0 auth include password-auth account include password-auth
For macOS, use 对于macOS,请使用登录而不是密码身份验证。login rather than password-auth.
The PAM file format might differ on some systems. For example, on Ubuntu and other Debian-based systems, use these file contents instead:PAM文件格式在某些系统上可能不同。例如,在Ubuntu和其他基于Debian的系统上,请使用以下文件内容:
@include common-auth @include common-account @include common-session-noninteractive
Create a MySQL account with the same user name as the operating system user name and define it to authenticate using the PAM plugin and the 使用与操作系统用户名相同的用户名创建MySQL帐户,并将其定义为使用PAM插件和mysql-unix PAM service:mysql-unixPAM服务进行身份验证:
CREATE USER 'antonio'@'localhost' IDENTIFIED WITH authentication_pam AS 'mysql-unix'; GRANT ALL PRIVILEGES ON mydb.* TO 'antonio'@'localhost';
Here, the authentication string contains only the PAM service name, 在这里,身份验证字符串仅包含PAM服务名称mysql-unix, which authenticates Unix passwords.mysql-unix,用于验证unix密码。
Use the mysql command-line client to connect to the MySQL server as 使用mysql命令行客户端作为antonio. For example:antonio连接到mysql服务器。例如:
shell>mysql --user=antonio --password --enable-cleartext-pluginEnter password:antonio_password
The server should permit the connection and the following query returns output as shown:服务器应允许连接,以下查询返回输出,如图所示:
mysql> SELECT USER(), CURRENT_USER(), @@proxy_user;
+-------------------+-------------------+--------------+
| USER() | CURRENT_USER() | @@proxy_user |
+-------------------+-------------------+--------------+
| antonio@localhost | antonio@localhost | NULL |
+-------------------+-------------------+--------------+
This demonstrates that the 这表明antonio operating system user is authenticated to have the privileges granted to the antonio MySQL user, and that no proxying has occurred.antonio操作系统用户经过身份验证,具有授予antonio MySQL用户的权限,并且没有发生代理。
The client-side 客户端mysql_clear_password authentication plugin leaves the password untouched, so client programs send it to the MySQL server as cleartext. mysql_clear_password身份验证插件保持密码不变,因此客户端程序将其作为明文发送到mysql服务器。This enables the password to be passed as is to PAM. A cleartext password is necessary to use the server-side PAM library, but may be a security problem in some configurations. These measures minimize the risk:这使得密码可以按原样传递给PAM。使用服务器端PAM库需要明文密码,但在某些配置中可能存在安全问题。这些措施将风险降至最低:
To make inadvertent use of the 为了减少无意中使用mysql_clear_password plugin less likely, MySQL clients must explicitly enable it (for example, with the --enable-cleartext-plugin option). mysql_clear_password插件的可能性,mysql客户端必须显式启用它(例如,使用--enable-cleartext-plugin选项)。See Section 6.4.1.4, “Client-Side Cleartext Pluggable Authentication”.请参阅第6.4.1.4节,“客户端明文可插拔身份验证”。
To avoid password exposure with the 为了避免在启用mysql_clear_password plugin enabled, MySQL clients should connect to the MySQL server using an encrypted connection. mysql_clear_password插件的情况下暴露密码,mysql客户端应使用加密连接连接到mysql服务器。See Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.请参阅第6.3.1节,“配置MySQL以使用加密连接”。
This authentication scenario uses PAM to check external users defined in terms of operating system user names and LDAP passwords, without proxying. Every such external user permitted to connect to MySQL Server should have a matching MySQL account that is defined to use PAM authentication through LDAP.此身份验证场景使用PAM检查根据操作系统用户名和LDAP密码定义的外部用户,而无需代理。每个被允许连接到MySQL服务器的外部用户都应该有一个匹配的MySQL帐户,该帐户被定义为通过LDAP使用PAM身份验证。
To use PAM LDAP pluggable authentication for MySQL, these prerequisites must be satisfied:要对MySQL使用PAM LDAP可插拔身份验证,必须满足以下先决条件:
An LDAP server must be available for the PAM LDAP service to communicate with.必须有一个LDAP服务器可供PAM LDAP服务与之通信。
LDAP users to be authenticated by MySQL must be present in the directory managed by the LDAP server.要由MySQL进行身份验证的LDAP用户必须存在于LDAP服务器管理的目录中。
Another way to use LDAP for MySQL user authentication is to use the LDAP-specific authentication plugins. 使用LDAP进行MySQL用户身份验证的另一种方法是使用LDAP特定的身份验证插件。See Section 6.4.1.7, “LDAP Pluggable Authentication”.请参阅第6.4.1.7节,“LDAP可插拔身份验证”。
Configure MySQL for PAM LDAP authentication as follows:按如下方式配置MySQL以进行PAM LDAP身份验证:
Verify that Unix authentication permits logins to the operating system with the user name 验证Unix身份验证是否允许使用用户名antonio and password antonio_password.antonio和密码antonio_password登录操作系统。
Set up PAM to authenticate MySQL connections using LDAP by creating a 通过创建名为mysql-ldap PAM service file named /etc/pam.d/mysql-ldap. /etc/pam.d/mysql-ldap的mysql-ldapPAM服务文件,设置PAM以使用LDAP对MySQL连接进行身份验证。The file contents are system dependent, so check existing login-related files in the 文件内容取决于系统,因此请检查/etc/pam.d directory to see what they look like. On Linux, the mysql-ldap file might look like this:/etc/pam.d目录中现有的与登录相关的文件,看看它们是什么样子的。在Linux上,mysql-ldap文件可能看起来像这样:
#%PAM-1.0 auth required pam_ldap.so account required pam_ldap.so
If PAM object files have a suffix different from 如果PAM对象文件的后缀与系统上的.so on your system, substitute the correct suffix..so后缀不同,请替换为正确的后缀。
The PAM file format might differ on some systems.PAM文件格式在某些系统上可能不同。
Create a MySQL account with the same user name as the operating system user name and define it to authenticate using the PAM plugin and the 使用与操作系统用户名相同的用户名创建MySQL帐户,并将其定义为使用PAM插件和mysql-ldap PAM service:mysql-ldap PAM服务进行身份验证:
CREATE USER 'antonio'@'localhost' IDENTIFIED WITH authentication_pam AS 'mysql-ldap'; GRANT ALL PRIVILEGES ON mydb.* TO 'antonio'@'localhost';
Here, the authentication string contains only the PAM service name, 在这里,身份验证字符串仅包含PAM服务名称mysql-ldap, which authenticates using LDAP.mysql-ldap,它使用ldap进行身份验证。
Connecting to the server is the same as described in PAM Unix Password Authentication without Proxy Users.连接到服务器与无代理用户的PAM Unix密码身份验证中所述的相同。
The authentication scheme described here uses proxying and PAM group mapping to map connecting MySQL users who authenticate using PAM onto other MySQL accounts that define different sets of privileges. 这里描述的身份验证方案使用代理和PAM组映射将使用PAM进行身份验证的MySQL连接用户映射到定义不同权限集的其他MySQL帐户上。Users do not connect directly through the accounts that define the privileges. Instead, they connect through a default proxy account authenticated using PAM, such that all the external users are mapped to the MySQL accounts that hold the privileges. 用户不直接通过定义权限的帐户进行连接。相反,它们通过使用PAM进行身份验证的默认代理帐户进行连接,这样所有外部用户都会映射到拥有特权的MySQL帐户。Any user who connects using the proxy account is mapped to one of those MySQL accounts, the privileges for which determine the database operations permitted to the external user.使用代理帐户连接的任何用户都会映射到其中一个MySQL帐户,其权限决定了允许外部用户进行的数据库操作。
The procedure shown here uses Unix password authentication. To use LDAP instead, see the early steps of PAM LDAP Authentication without Proxy Users.此处显示的过程使用Unix密码身份验证。要改用LDAP,请参阅无代理用户的PAM LDAP身份验证的早期步骤。
Traditional Unix passwords are checked using the 使用/etc/shadow file. /etc/shadow文件检查传统的Unix密码。For information regarding possible issues related to this file, see PAM Authentication Access to Unix Password Store.有关此文件可能存在的问题的信息,请参阅PAM身份验证访问Unix密码存储。
Verify that Unix authentication permits logins to the operating system with the user name 验证Unix身份验证是否允许使用用户名antonio and password antonio_password.antonio和密码antonio_password登录操作系统。
Verify that 验证antonio is a member of the root or users PAM group.antonio是否是root或用户PAM组的成员。
Set up PAM to authenticate the 通过创建名为mysql-unix PAM service through operating system users by creating a file named /etc/pam.d/mysql-unix. /etc/pamd/mysql-unix的文件,设置PAM以通过操作系统用户对mysql-unixPAM服务进行身份验证。The file contents are system dependent, so check existing login-related files in the 文件内容取决于系统,因此请检查/etc/pam.d directory to see what they look like. /etc/pam.d目录中现有的与登录相关的文件,看看它们是什么样子的。On Linux, the 在Linux上,mysql-unix file might look like this:mysql-unix文件可能看起来像这样:
#%PAM-1.0 auth include password-auth account include password-auth
For macOS, use 对于macOS,请使用login rather than password-auth.login而不是password-auth。
The PAM file format might differ on some systems. For example, on Ubuntu and other Debian-based systems, use these file contents instead:PAM文件格式在某些系统上可能不同。例如,在Ubuntu和其他基于Debian的系统上,请使用以下文件内容:
@include common-auth @include common-account @include common-session-noninteractive
Create a default proxy user (创建一个默认代理用户(''@'') that maps external PAM users to the proxied accounts:''@''),将外部PAM用户映射到代理帐户:
CREATE USER ''@'' IDENTIFIED WITH authentication_pam AS 'mysql-unix, root=developer, users=data_entry';
Here, the authentication string contains the PAM service name, 在这里,身份验证字符串包含PAM服务名称mysql-unix, which authenticates Unix passwords. mysql-unix,用于验证unix密码。The authentication string also maps external users in the 身份验证字符串还将root and users PAM groups to the developer and data_entry MySQL user names, respectively.root和用户PAM组中的外部用户分别映射到developer和data_entry MySQL用户名。
The PAM group mapping list following the PAM service name is required when you set up proxy users. Otherwise, the plugin cannot tell how to perform mapping from external user names to the proper proxied MySQL user names.设置代理用户时,需要PAM服务名称后面的PAM组映射列表。否则,插件无法告诉如何执行从外部用户名到正确代理的MySQL用户名的映射。
If your MySQL installation has anonymous users, they might conflict with the default proxy user. 如果你的MySQL安装有匿名用户,他们可能会与默认代理用户冲突。For more information about this issue, and ways of dealing with it, see Default Proxy User and Anonymous User Conflicts.有关此问题的更多信息以及处理方法,请参阅默认代理用户和匿名用户冲突。
Create the proxied accounts and grant to each one the privileges it should have:创建代理帐户并授予每个帐户应有的权限:
CREATE USER 'developer'@'localhost' IDENTIFIED WITH mysql_no_login; CREATE USER 'data_entry'@'localhost' IDENTIFIED WITH mysql_no_login; GRANT ALL PRIVILEGES ON mydevdb.* TO 'developer'@'localhost'; GRANT ALL PRIVILEGES ON mydb.* TO 'data_entry'@'localhost';
The proxied accounts use the 代理帐户使用mysql_no_login authentication plugin to prevent clients from using the accounts to log in directly to the MySQL server. mysql_no_login身份验证插件来防止客户端使用帐户直接登录mysql服务器。Instead, users who authenticate using PAM are expected to use the 相反,使用PAM进行身份验证的用户应该根据他们的PAM组通过代理使用developer or data_entry account by proxy based on their PAM group. developer或data_entry帐户。(This assumes that the plugin is installed. For instructions, see Section 6.4.1.8, “No-Login Pluggable Authentication”.) (这假设插件已安装。有关说明,请参阅第6.4.1.8节,“无登录可插拔身份验证”。)For alternative methods of protecting proxied accounts against direct use, see Preventing Direct Login to Proxied Accounts.有关保护代理帐户免受直接使用的替代方法,请参阅防止直接登录代理帐户。
Grant to the proxy account the 为每个代理账号授予PROXY privilege for each proxied account:PROXY权限:
GRANT PROXY ON 'developer'@'localhost' TO ''@''; GRANT PROXY ON 'data_entry'@'localhost' TO ''@'';
Use the mysql command-line client to connect to the MySQL server as 使用mysql命令行客户端作为antonio.antonio连接到mysql服务器。
shell>mysql --user=antonio --password --enable-cleartext-pluginEnter password:antonio_password
The server authenticates the connection using the default 服务器使用默认的''@'' proxy account. The resulting privileges for antonio depend on which PAM groups antonio is a member of. ''@''代理帐户对连接进行身份验证。antonio的特权取决于antonio所属的PAM组。If 如果antonio is a member of the root PAM group, the PAM plugin maps root to the developer MySQL user name and returns that name to the server. antonio是rootPAM组的成员,PAM插件会将root映射到developerMySQL用户名,并将该名称返回给服务器。The server verifies that 服务器验证''@'' has the PROXY privilege for developer and permits the connection. ''@''是否具有developer的PROXY权限,并允许连接。The following query returns output as shown:以下查询返回如下输出:
mysql> SELECT USER(), CURRENT_USER(), @@proxy_user;
+-------------------+---------------------+--------------+
| USER() | CURRENT_USER() | @@proxy_user |
+-------------------+---------------------+--------------+
| antonio@localhost | developer@localhost | ''@'' |
+-------------------+---------------------+--------------+
This demonstrates that the 这表明antonio operating system user is authenticated to have the privileges granted to the developer MySQL user, and that proxying occurs through the default proxy account.antonio操作系统用户经过身份验证,具有授予developerMySQL用户的权限,并且代理是通过默认代理帐户进行的。
If 如果antonio is not a member of the root PAM group but is a member of the users PAM group, a similar process occurs, but the plugin maps user PAM group membership to the data_entry MySQL user name and returns that name to the server:antonio不是根PAM组的成员,但是用户PAM组的一员,则会发生类似的过程,但插件会将userPAM组成员身份映射到data_entry MySQL用户名,并将该名称返回给服务器:
mysql> SELECT USER(), CURRENT_USER(), @@proxy_user;
+-------------------+----------------------+--------------+
| USER() | CURRENT_USER() | @@proxy_user |
+-------------------+----------------------+--------------+
| antonio@localhost | data_entry@localhost | ''@'' |
+-------------------+----------------------+--------------+
This demonstrates that the 这表明antonio operating system user is authenticated to have the privileges of the data_entry MySQL user, and that proxying occurs through the default proxy account.antonio操作系统用户经过身份验证,具有data_entry MySQL用户的权限,并且代理是通过默认代理帐户进行的。
The client-side 客户端mysql_clear_password authentication plugin leaves the password untouched, so client programs send it to the MySQL server as cleartext. This enables the password to be passed as is to PAM. mysql_clear_password身份验证插件保持密码不变,因此客户端程序将其作为明文发送到mysql服务器。这使得密码可以按原样传递给PAM。A cleartext password is necessary to use the server-side PAM library, but may be a security problem in some configurations. These measures minimize the risk:使用服务器端PAM库需要明文密码,但在某些配置中可能存在安全问题。这些措施将风险降至最低:
To make inadvertent use of the 为了减少无意中使用mysql_clear_password plugin less likely, MySQL clients must explicitly enable it (for example, with the --enable-cleartext-plugin option). mysql_clear_password插件的可能性,mysql客户端必须显式启用它(例如,使用--enable-cleartext-plugin选项)。See Section 6.4.1.4, “Client-Side Cleartext Pluggable Authentication”.请参阅第6.4.1.4节,“客户端明文可插拔身份验证”。
To avoid password exposure with the 为了避免在启用mysql_clear_password plugin enabled, MySQL clients should connect to the MySQL server using an encrypted connection. See Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.mysql_clear_password插件的情况下暴露密码,mysql客户端应使用加密连接连接到mysql服务器。请参阅第6.3.1节,“配置MySQL以使用加密连接”。
On some systems, Unix authentication uses a password store such as 在某些系统上,Unix身份验证使用密码存储,如/etc/shadow, a file that typically has restricted access permissions. /etc/shadow,这是一个通常具有受限访问权限的文件。This can cause MySQL PAM-based authentication to fail. Unfortunately, the PAM implementation does not permit distinguishing “password could not be checked” (due, for example, to inability to read 这可能会导致基于MySQL PAM的身份验证失败。不幸的是,PAM实现不允许区分“密码无法检查”(例如,由于无法读取/etc/shadow) from “password does not match.” If you are using Unix password store for PAM authentication, you may be able to enable access to it from MySQL using one of the following methods:/etc/shadow)和“密码不匹配”。如果您使用Unix密码存储进行PAM身份验证,则可以使用以下方法之一从MySQL访问它:
Assuming that the MySQL server is run from the 假设MySQL服务器是从mysql operating system account, put that account in the shadow group that has /etc/shadow access:mysql操作系统帐户运行的,将该帐户放入具有/etc/shadow访问权限的shadow组中:
Create a 在shadow group in /etc/group./etc/group中创建一个shadow组。
Add the 将mysql operating system user to the shadow group in /etc/group.mysql操作系统用户添加到/etc/group中的shadow组。
Assign 将/etc/group to the shadow group and enable the group read permission:/etc/group分配给shadow组并启用组读取权限:
chgrp shadow /etc/shadow chmod g+r /etc/shadow
Restart the MySQL server.重启MySQL服务器。
If you are using the 如果您使用的是pam_unix module and the unix_chkpwd utility, enable password store access as follows:pam_unix模块和unix_chkpwd实用程序,请按如下方式启用密码存储访问:
chmod u-s /usr/sbin/unix_chkpwd setcap cap_dac_read_search+ep /usr/sbin/unix_chkpwd
Adjust the path to unix_chkpwd as necessary for your platform.根据您的平台需要,调整到unix_chkpwd的路径。
The PAM authentication plugin checks at initialization time whether the PAM身份验证插件在初始化时检查是否设置了AUTHENTICATION_PAM_LOG environment value is set (the value does not matter). If so, the plugin enables logging of diagnostic messages to the standard output. AUTHENTITION-PAM_LOG环境值(该值无关紧要)。如果是这样,该插件允许将诊断消息记录到标准输出中。These messages may be helpful for debugging PAM-related issues that occur when the plugin performs authentication.这些消息可能有助于调试插件执行身份验证时出现的PAM相关问题。
Some messages include reference to PAM plugin source files and line numbers, which enables plugin actions to be tied more closely to the location in the code where they occur.一些消息包括对PAM插件源文件和行号的引用,这使得插件操作能够更紧密地与代码中发生的位置联系在一起。
Another technique for debugging connection failures and determining what is happening during connection attempts is to configure PAM authentication to permit all connections, then check the system log files. 调试连接失败并确定连接尝试期间发生了什么的另一种技术是配置PAM身份验证以允许所有连接,然后检查系统日志文件。This technique should be used only on a temporary basis, and not on a production server.此技术只能临时使用,不能在生产服务器上使用。
Configure a PAM service file named 配置一个名为/etc/pam.d/mysql-any-password的PAM服务文件,其中包含以下内容(格式在某些系统上可能不同):/etc/pam.d/mysql-any-password with these contents (the format may differ on some systems):
#%PAM-1.0 auth required pam_permit.so account required pam_permit.so
Create an account that uses the PAM plugin and names the 创建一个使用PAM插件的帐户,并将mysql命名为mysql-any-password PAM service:mysql-any-passwordPAM服务:
CREATE USER 'testuser'@'localhost' IDENTIFIED WITH authentication_pam AS 'mysql-any-password';
The mysql-any-password service file causes any authentication attempt to return true, even for incorrect passwords. mysql-any-password服务文件会导致任何身份验证尝试返回true,即使是不正确的密码。If an authentication attempt fails, that tells you the configuration problem is on the MySQL side. 如果身份验证尝试失败,则告诉配置问题在MySQL方面。Otherwise, the problem is on the operating system/PAM side. 否则,问题出在操作系统/PAM方面。To see what might be happening, check system log files such as 要查看可能发生的情况,请检查系统日志文件,如/var/log/secure, /var/log/audit.log, /var/log/syslog, or /var/log/messages./var/log/secure、/var/log/audit.log、/var/log/syslog或/var/log/messages。
After determining what the problem is, remove the 确定问题所在后,删除mysql-any-password PAM service file to disable any-password access.mysql-any-password PAM服务文件以禁用任何密码访问。