Letting SSHd authenticate against MySQL

I’m researching the possibility of creating a domain management software with Yii. In particular as a mass-hosting solution for microsites. One goal is to quickly en- or disable certain services such as FTP-access, e-mail, etc. All very well doable via MySQL tables and virtual users. However, one service is turning into a headache: SSH.

Ages ago I used to rely on pam_mysql. But the project seems to be abandoned by the original author(s) (v0.7RC1 has been released back in 2006, patches are still being applied for RHEL and Fedora). saslauthd is no alternative: As far as I can tell, there is no MySQL backend.

Any advice?

I created software in PHP on top of WHM and CPanel API, so we could automate user creation/suspension/deletion, domain registration, and much more. But as I understand you want to create software that would replace WHM and CPanel, and use pure Linux commands.

I see that you have problem with ssh. But what if you write php script that would generate bash script which will be executed by cron(probably as root user). In that case you would use Linux system users(they would be chrooted to their home directory, for security) instead virtual ones.

Ah, well. I’d like to avoid using system users. Mostly because I’d like to spare me the headache of keeping my database and /etc/shadow in sync. There would be a PAM extension in PECL. But that won’t let me e.g. list users. Furthermore, I would need to let the webserver (or php-process) read and/or write to /etc/passwd and /etc/shadow for this to work properly. Needless to say, that would be an A-as-in-“Arrrrgh!”-level WTF.

For the actual server tweaking: I thought I’d provide a webinterface for the configuration pieces. Once all has been configure in the interface, I’d put a change request into the DB, let cron pick that up via a yii command, apply the changes to the config, test that (e.g. by httpd -t) push the changes into version control (I like having /etc in VC for various reasons) and restart the service.

Haven’t used pam_mysql in a long while, but last I checked it was still working in Ubuntu. The Fedora/RHEL buildinfo also indicates patches being applied, so seems like the maintenance work may have shifted from the original (dead) project to the distros. I don’t imagine this needs a huge amount of upkeep to remain current.

Of course there are other alternative and maintained PAM backends such as LDAP, SQLite, and more recently MongoDB, … :)

Apparently: "as of MySQL 5.5.16, commercial distributions of MySQL include a PAM authentication plugin that enables MySQL Server to use PAM to authenticate MySQL users" (dev.mysql.com/doc/refman/5.5/en/pam-authentication-plugin.html)

Thanks for your reply. I am aware of the PAM-backed authentication plugin for MySQL. However, that’s exactly the opposite direction I’d like to go. I aim to keep my users purely virtual. SSH is the only service that is giving me troubles in that regard :lol: