When you have many servers to manage, it can be usefull to have some centrelized server for user authentication and accounting. Libpam-mysql and libnss-mysql-bg permit keep your data in mysql db and make it possible to use it by pam-aware services on your system.
From the other hand, it is goot to have some web interface to manage all these records. I decided to use excellent Admin application from Django framework for this purpose
Here are the simple steps:
$ django-admin startproject webadmin $ cd webadmin $ ./manage.py startapp pam
After this, costumize your settings.py and add similar models.py to the pam/ folder.
To prevent system and mysql uids/gids overlapping, it's probably a good idea to set Mysql sequence numbers to some reasonable value, like 2000 or similar.
# apt-get install libnss-mysql-bg libpap-mysql After this, make you config files look similar to this:
# /etc/libnss-mysql.cfg
getpwnam SELECT username,'x',uid,gid,gecos,homedir,shell \
FROM pam_user \
WHERE username='%1$s' AND is_active=1 \
LIMIT 1
getpwuid SELECT username,'x',uid,gid,gecos,homedir,shell \
FROM pam_user \
WHERE uid='%1$u' \
LIMIT 1
getspnam SELECT username,password,lstchg,min,max,warn,inact,expire,flag \
FROM pam_user \
WHERE username='%1$s' \
LIMIT 1
getpwent SELECT username,'x',uid,gid,gecos,homedir,shell \
FROM pam_user
getspent SELECT username,password,lstchg,min,max,warn,inact,expire,flag \
FROM pam_user
getgrnam SELECT name,password,gid \
FROM pam_group \
WHERE name='%1$s' \
LIMIT 1
getgrgid SELECT name,password,gid \
FROM pam_group \
WHERE gid='%1$u' \
LIMIT 1
getgrent SELECT name,password,gid \
FROM pam_group
memsbygid SELECT pam_user.username \
FROM pam_user,pam_user_groups \
WHERE pam_user_groups.group_id='%1$u' AND pam_user.uid=pam_user_groups.user_id
gidsbymem SELECT pam_user_groups.group_id \
FROM pam_user,pam_user_groups \
WHERE pam_user.username='%1$s' AND pam_user.uid=pam_user_groups.user_id
host 192.168.1.1
database webadmin
username webadmin
password secret
timeout 3
compress 0
# /etc/libnss-mysql-root.cfg username nss-root password s3cr3t
After this, you need to add some data into db using Django admin interface, and tweak pam configuration. In Debian/Ubuntu this can be done like this:
# /etc/nsswitch.conf passwd: compat mysql group: compat mysql shadow: compat mysql [...]
# /etc/pam.d/common-auth auth [success=1 default=ignore] pam_unix.so auth required pam_mysql.so user=webadmin passwd=secret host=192.168.1.1 db=webadmin table=pam_user usercolumn=pam_user.username passwdcolumn=pam_user.password crypt=1 [where=pam_user.is_active="1"] auth required pam_permit.so
# /etc/pam.d/common-account account [success=1 default=ignore] pam_unix.so account required pam_mysql.so user=webadmin passwd=secret host=192.168.1.1 db=webadmin table=pam_user usercolumn=pam_user.username passwdcolumn=pam_user.password crypt=1 [where=pam_user.is_active="1"] account required pam_permit.so
# /etc/pam.d/common-password password sufficient pam_mysql.so user=webadmin passwd=secret host=192.168.1.1 db=webadmin table=pam_user usercolumn=pam_user.username passwdcolumn=pam_user.password crypt=1 [where=pam_user.is_active="1"] password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass
# /etc/pam.d/common-session session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_unix.so
That's all! Now things like id <some_mysql_user> should work.
P.S.
I had to do /etc/init.d/sshd reload to make it work for new mysql users.