Friday, January 14, 2011

How do I tie OSX SSH User authentication to a custom 'users' mysql database?

We have a client intranet with client user credentials stored in a mysql database.

We are now trying to enabled SSH access to one of our servers for each client - where the authentication would come from our existing database.

Any help would be awesome.

From serverfault $pageUsers[$entry.posts[0].author].name

  • It sure looks like OS X uses PAM. In that case you should be abe to use the PAM-MySQL to perform any type of auth you want. Out of the box OS X uses a pretty straightforward PAM config for sshd:

    $ cat /etc/pam.d/sshd
# sshd: auth account password session
auth       required       pam_nologin.so
auth       optional       pam_afpmount.so
auth       sufficient     pam_securityserver.so
auth       sufficient     pam_unix.so
auth       required       pam_deny.so
account    required       pam_securityserver.so
password   required       pam_deny.so
session    required       pam_launchd.so
session    optional       pam_afpmount.so

    I haven't set up PAM-MySQL before, but assuming it's similar to other external database PAM modules, there will be a config file that you use to select the db credentials, which tables should be used, etc. Then you would insert auth sufficient pam_mysql.so just before the pam_unix.so line in /etc/pam.d/sshd.

    Theoretically that should be all you need.

    Insyte : I've confirmed that the pam_mysql project I linked to above will build just fine as long as you have the MySQL libraries installed. And it looks like instead of a config file the various options are passed as arguments in the "pam.d/sshd" file. I can't test any further without actually building up a dummy database, but it sure looks promising.
    Insyte : Take a look a the README file included in pam-mysql. I was incorrect about the settings being stored in a config file; they're appended to the pam file like so: "auth sufficient pam_mysql.so user=dbuser passwd=dbpasswd table=users usercolumn=myusers passwdcolumn=mypasswds". There are several other options that can be used as well, all well described in the README file.
    From Insyte

  • There are probably a couple ways you could do this:

    1. Set up an Open Directory master, bind your server to it (or maybe that server would be the OD Master), and write some hooks for your client intranet that add/remote/update users in OD whenever there is a change
    2. Write a Directory Services plug-in that is installed on your server which would talk to your MySQL database

    For the 1st option, see Apple's Mac OS X Server documentation, esp. those relating to Open Directory. There is a dscl command which can be run from scripts to add/remove/update entries in Open Directory.

    For the Directory Services option, see Apple's Directory Services documentation, esp. the Writing Open Directory Plug-ins document.

    There are probably other ways, but these are the two that jumped to mind.

    morgant : Upvoted the PAM answer as that should be exponentially easier to implement than either of my suggestions.
    From morgant
Posted by Mu Cat at 6:02 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)