MySQL RADIUS Authentication with PAM

TL;DR

Yes, a non-root process like MySQL can authenticate to a RADIUS server using PAM (Pluggable Authentication Modules), but it requires careful configuration of the PAM stack and appropriate permissions. This guide outlines how to achieve this.

Prerequisites

• A working MySQL installation
• A configured RADIUS server (e.g., FreeRADIUS)
• PAM installed on your system
• Basic understanding of Linux command line

Steps

1. Install the PAM module for RADIUS

   You’ll need a PAM module that supports RADIUS authentication. The specific package name varies depending on your distribution. Common options include pam_radius or similar.

   sudo apt-get install libpam-radius (Debian/Ubuntu)

   sudo yum install pam_radius (CentOS/RHEL)

2. Configure the PAM module

   Edit the RADIUS PAM configuration file. This is typically located at /etc/pam.d/radius or a similar path. You’ll need to specify details like the RADIUS server IP address, shared secret, and authentication method.

   sudo nano /etc/pam.d/radius

   Example configuration (adjust values as needed):

   auth required pam_radius.so debug server=192.168.1.10 secret="your_shared_secret"

3. Create a dedicated user for MySQL

   It’s best practice to create a separate system user specifically for MySQL to use with RADIUS authentication. This limits the potential impact of security breaches.

   sudo adduser mysqlradius

4. Configure MySQL to use PAM

   Edit your MySQL configuration file (typically my.cnf or my.ini). Add a line under the [mysqld] section to enable authentication using the PAM plugin.

   sudo nano /etc/mysql/my.cnf

   Add this line:

   plugin-load = pam_auth.so

5. Configure MySQL authentication method for the user

   Connect to your MySQL server as a root or privileged user.

   mysql -u root -p

   Create (or modify) the MySQL user and set its authentication plugin to pam_auth. Replace ‘your_username’ with the desired username, ‘your_password’ with a placeholder password (it won’t be used), and ‘localhost’ with the appropriate host.

   CREATE USER 'your_username'@'localhost' IDENTIFIED WITH pam_auth BY 'your_password';

6. Grant privileges to the user

   Grant the necessary privileges to the MySQL user. This depends on what access you want them to have.

   GRANT ALL PRIVILEGES ON *.* TO 'your_username'@'localhost';

7. Test the authentication

   Attempt to connect to MySQL using the configured user. PAM should handle the authentication process, forwarding the credentials to the RADIUS server.

   mysql -u your_username -p

   You will be prompted for a password; this is passed through PAM to RADIUS. Check your RADIUS server logs to verify successful (or failed) authentication attempts.

8. Permissions and Security Considerations
   • Ensure the mysqlradius user has minimal necessary permissions on the system.
   • Protect the shared secret used in the PAM configuration file.
   • Regularly review your RADIUS server logs for suspicious activity.
   • Consider using a more secure authentication method than simple password-based authentication if possible (e.g., two-factor authentication).