What other pluggable authentication plugins would you like in MariaDB?
MariaDB has had pluggable authentication since MariaDB 5.2. Our most popular authentication plugin that we ship in MariaDB is the PAM authentication plugin. Naturally one is curious to see if users would like to see more authentication plugins being made available, so we’ve posted a poll on Facebook. Please feel free to add your vote to the poll so we have a better idea of where to focus our future pluggable authentication development.
As you already have PAM, please do not waste your time implementing any plugins for authentication methods which already are supported with PAM.
pam don’t work in windows servers
Seriously need better support for Windows. The “Windows Native Authentication Plugin” for MySQL would be an excellent upgrade. MySQL only offers it on the Enterprise edition, but still.
And the Connector/NET is only in MySQL. Yes we understand it works with MariaDB but shouldn’t MariaDB have one of its own by now. Forcing ODBC for native .Net applications just doesn’t cut it.
PAM pretty much covers it all … validation via a MySQL Stored Function would the only other thing i can think of right now as it would avoid the need for loading some native code shared library completely.
But can we get out-of-the-box transport encryption of passwords while we’re on it?
PS: can’t vote on the poll, can’t even see it, and no i won’t create a FB account just for that …
The main problem with PAM – and it’s fundamental and not fixable – it obtains any information it needs by *asking the user*. So it cannot authenticate the user based on the environment (like, a running shell session) or based on some token that a user might have . For example, the USBSN plugin from my “MySQL 5.1 Plugin Development” book – it cannot work with PAM, unless you are prepared to ask your users a lame question like “please enter the serial number of your USB key”.
I mean, it cannot work over the network. If the user and the mysqld server are on the same physical host, PAM might be enough. The pam_usb module does exist.
again, just another vote to native OTP
I’ve written an authentication plugin that uses saslauthd on Unix systems like Slackware and OpenBSD, that don’t have PAM: https://github.com/voegelas/mariadb-plugin-saslauthd
unix auth plugin that will allow a mysql user to connect as a given system user and use a different mysql user name
ex : create user “sysadmin” identified with “unix_socket” AS “root”
would allow the root system user to connect as the sysadmin mysql user
ex : create user “officeuser1” identified with “unix_socket” AS “phpmyadmin”
would allow a web application to use it’s own credentials to login as a different user. in this case i’m thinking a modified phpmyadmin variant running as a dedicated user being delegated the authentication process but still making each user use their own credentials.
—
combination of unix_socket and a password
—
best regards