環境準備
在開始安裝之前,請先完成下列的步驟:
1. 安裝EPEL Repository,安裝步驟請參考這篇文章:
http://jyc-blog.blogspot.tw/2015/07/centos7-epel-repository.html
2. 關閉SELinux
下載套件
[root@jyc-blog ~]# yum groupinstall "Development Tools" -y
[root@jyc-blog ~]# yum install cyrus-sasl openssl mariadb mariadb-devel mariadb-server pam-devel libnss-mysql -y
編譯pam_mysql
pam_mysql的tarball檔可以到它的官方網站下載:
[root@jyc-blog ~]# cd /usr/local/src
[root@jyc-blog src]# wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
[root@jyc-blog src]# tar -zxvf pam_mysql-0.7RC1.tar.gz
[root@jyc-blog src]# cd pam_mysql-0.7RC1/
[root@jyc-blog src]# ./configure --with-pam-mods-dir=/usr/lib64/security #指定pam module要存放到哪一個目錄底下
...
...省略...
...
config.status: creating Makefile
config.status: creating pam_mysql.spec
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing default-1 commands
[root@jyc-blog src]# make install
#確認pam_mysql.so安裝成功
[root@jyc-blog src]# ls /usr/lib64/security/pam_mysql.so
/usr/lib64/security/pam_mysql.so
設定mysql
[root@jyc-blog ~]# systemctl start mariadb
[root@jyc-blog ~]# systemctl enable mariadb
[root@jyc-blog ~]# mysql_secure_installation
/usr/bin/mysql_secure_installation: line 379: find_mysql_client: command not found
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
<ENTER>
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n]
Y
New password:
PASSWORD
Re-enter new password:
PASSWORD
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n]
Y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n]
Y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n]
Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n]
Y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
設定libnss-mysql
libnss-mysql提供三個設定檔的範例:
complex:
/usr/share/doc/libnss-mysql-1.5/sample/complex/libnss-mysql-root.cfg
/usr/share/doc/libnss-mysql-1.5/sample/complex/libnss-mysql.cfg
/usr/share/doc/libnss-mysql-1.5/sample/complex/sample_database.sql
linux:
/usr/share/doc/libnss-mysql-1.5/sample/linux/libnss-mysql-root.cfg
/usr/share/doc/libnss-mysql-1.5/sample/linux/libnss-mysql.cfg
/usr/share/doc/libnss-mysql-1.5/sample/linux/sample_database.sql
minimal:
/usr/share/doc/libnss-mysql-1.5/sample/minimal/libnss-mysql-root.cfg
/usr/share/doc/libnss-mysql-1.5/sample/minimal/libnss-mysql.cfg
/usr/share/doc/libnss-mysql-1.5/sample/minimal/sample_database.sql
這三種範例之間的差異只有資料庫欄位的多寡,complex的欄位最多,因此可以設定的使用者資訊也最多。
minimal則只有username、password、group、uid和gid這些欄位。
linux的欄位就跟/etc/passwd的欄位設定一樣,此為套件預設值。
# 先複製一份sample sql,有一些地方需要修改
[root@jyc-blog ~]# cp /usr/share/doc/libnss-mysql-1.5/sample/linux/sample_database.sql /root/linux_sample_database.sql
#將TYPE=MyISAM從sample檔刪除,否則在匯入時會出現Syntax Error
[root@jyc-blog ~]# sed -i "s:TYPE=MyISAM::g" linux_sample_database.sql
[root@jyc-blog ~]# vim /root/linux_sample_database.sql
# line 23 設定資料庫名稱 ,如果有變動連下面有資料庫名稱的部份也要跟著修改
create database auth;
use auth;
# line 62 - 67 這部份是建立新使用者的sql範例
INSERT INTO users (username,gecos,homedir,password)
VALUES ('
jychen', '
Jheng-Yu Chen', '
/home/jychen', ENCRYPT('
jychen'));
INSERT INTO groups (name)
VALUES ('
jychen');
INSERT INTO grouplist (gid,username)
VALUES (
5000,'
jychen');
# line 70 - 93 comment out. 這部份新增的資料庫使用者,只能查詢不能寫入,但我希望能透過passwd指令修改使用者的密碼,因此後面的使用者設定都使用root身份
#GRANT USAGE ON *.* TO `nss-root`@`localhost` IDENTIFIED BY 'rootpass';
#GRANT USAGE ON *.* TO `nss-user`@`localhost` IDENTIFIED BY 'userpass';
#
#GRANT Select (`username`, `uid`, `gid`, `gecos`, `homedir`, `shell`, `password`,
# `lstchg`, `min`, `max`, `warn`, `inact`, `expire`, `flag`)
# ON `auth`.`users`
# TO 'nss-root'@'localhost';
#GRANT Select (`name`, `password`, `gid`)
# ON `auth`.`groups`
# TO 'nss-root'@'localhost';
#
#GRANT Select (`username`, `uid`, `gid`, `gecos`, `homedir`, `shell`)
# ON `auth`.`users`
# TO 'nss-user'@'localhost';
#GRANT Select (`name`, `password`, `gid`)
# ON `auth`.`groups`
# TO 'nss-user'@'localhost';
#
#GRANT Select (`username`, `gid`)
# ON `auth`.`grouplist`
# TO 'nss-user'@'localhost';
#GRANT Select (`username`, `gid`)
# ON `auth`.`grouplist`
# TO 'nss-root'@'localhost';
到目前為止,我們已經把資料庫和要匯入的sql檔案給設定好了,接下就把sql檔匯入資料庫 :
[root@jyc-blog ~]# mysql -u root -p
PASSWORD < linux_sample_database.sql
#查看是否有匯入成功
[root@jyc-blog ~]# mysql -u root -p
PASSWORD -e "use auth; select * from users;"
+----------+------+------+---------------+--------------+-----------+---------------+--------+-----+-------+------+-------+--------+------+
| username | uid | gid | gecos | homedir | shell | passwor | lstchg | min | max | warn | inact | expire | flag |
+----------+------+------+---------------+--------------+-----------+---------------+--------+-----+-------+------+-------+--------+------+
| jychen | 5000 | 5000 | Jheng-Yu Chen | /home/jychen | /bin/bash | 9OrIPVOVR0zk. | 1 | 0 | 99999 | 0 | 0 | -1 | 0 |
+----------+------+------+---------------+--------------+-----------+---------------+--------+-----+-------+------+-------+--------+------+
資料庫匯入完成後,再來就要修改libnss-mysql的設定檔,因為預設已經將設定檔放在/etc目錄底下,我們只需要修改這些設定檔就可以了:
[root@jyc-blog ~]# vim /etc/libnss-mysql.cfg
# line 34 - 39 modify
host
localhost
database
auth
username
root
password
PASSWORD
socket
/var/lib/mysql/mysql.sock
port
3306
[root@jyc-blog ~]# vim /etc/libnss-mysql-root.cfg
# line 1 modify
username
root
password
PASSWORD
再來要修改Name Service Switch的設定檔,讓它能夠讀取MySQL的認證資料:
[root@jyc-blog ~]# vim /etc/nsswitch.conf
# line 33 - 35 modify
passwd: files sss mysql
shadow: files sss mysql
group: files sss mysql
設定pam_mysql
詳細的設定可以參考官方的Document:
[root@jyc-blog ~]# vim /etc/pam_mysql.conf
#add following
users.host=/var/lib/mysql/mysql.sock
users.db_user=root
users.db_passwd=PASSWORD
users.database=auth
users.table=users
users.user_column=username
users.password_column=password
users.password_crypt=1
verbose=0
修改PAM
[root@jyc-blog ~]# vim /etc/pam.d/system-auth
#插入下面五行(綠色字)
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_mysql.so config_file=/etc/pam_mysql.conf
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account sufficient pam_mysql.so config_file=/etc/pam_mysql.conf
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_mysql.so config_file=/etc/pam_mysql.conf
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
#因為是透過資料庫新增使用者,所以需要手動建立使用者的家目錄,但自己手動建立還要設定權限等等,因此這邊以PAM的方式,讓使用者在登入的同時自動建立家目錄:
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session sufficient pam_mysql.so config_file=/etc/pam_mysql.conf
session required pam_unix.so
測試
[root@jyc-blog ~]# id jychen
uid=5000(jychen) gid=5000(jychen) groups=5000(jychen)
[root@jyc-blog ~]# ssh jychen@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is 3e:95:18:bb:65:98:ff:4b:cb:15:34:ee:b1:f7:22:3f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
jychen@127.0.0.1's password: PASSWORD
Creating directory '/home/jychen'.
Last login: Thu Jul 9 23:52:36 2015 from localhost
[jychen@jyc-blog ~]$ exit
#用passwd指令修改密碼
[root@jyc-blog ~]# mysql -u root -pPASSWORD -e "use auth ; select password from users where uid=5000"
+---------------------+
| password |
+---------------------+
| 1uQQ2ugLqZa.A |
+---------------------+
[root@jyc-blog ~]# passwd jychen
Changing password for user jychen.
New password: PASSWORD
Retype new password: PASSWORD
passwd: all authentication tokens updated successfully.
[root@jyc-blog ~]# mysql -u root -pPASSWORD -e "use auth ; select password from users where uid=5000"
+-------------------------------------------------------+
| password |
+-------------------------------------------------------+
| $1$WRJqJIP1$U3nAswi3F6RJtGtGD0OyW. |
+-------------------------------------------------------+
#從第一次和第二次Select出來的password資料,可以看出密碼有被修改成功。
Enjoy!
可能會遇到的錯誤
[root@jyc-blog pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/usr/lib64/security
...
...省略...
...
checking if /usr /usr/local /usr/mysql /opt/mysql is a mysql_config script... no
checking mysql_config availability in /usr/bin... no
checking mysqlclient availability in /usr/lib... no
checking mysqlclient availability in /usr/lib/mysql... no
checking mysql headers availability in /usr/include... no
checking mysql headers availability in /usr/include/mysql... no
checking mysql_config availability in /usr/local/bin... no
checking mysqlclient availability in /usr/local/lib... no
checking mysqlclient availability in /usr/local/lib/mysql... no
checking mysql headers availability in /usr/local/include... no
checking mysql headers availability in /usr/local/include/mysql... no
checking mysql_config availability in /usr/mysql/bin... no
checking mysqlclient availability in /usr/mysql/lib... no
checking mysqlclient availability in /usr/mysql/lib/mysql... no
checking mysql headers availability in /usr/mysql/include... no
checking mysql headers availability in /usr/mysql/include/mysql... no
checking mysql_config availability in /opt/mysql/bin... no
checking mysqlclient availability in /opt/mysql/lib... no
checking mysqlclient availability in /opt/mysql/lib/mysql... no
checking mysql headers availability in /opt/mysql/include... no
checking mysql headers availability in /opt/mysql/include/mysql... no
configure: error: Cannot locate mysql client library. Please check your mysql installation.
#解決方式 : 安裝mariadb-devel
[root@jyc-blog pam_mysql-0.7RC1]# yum install mariadb-devel -y
[root@jyc-blog pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/usr/lib64/security
...
...省略...
...
configure: error: Cannot find pam headers. Please check if your system is ready for pam module development.
#解決方式 : 安裝pam-devel
[root@jyc-blog pam_mysql-0.7RC1]# yum install pam-devel -y
[root@jyc-blog pam_mysql-0.7RC1]# ./configure
...
...省略...
...
configure: error: Cannot find pam headers. Please check if your system is ready for pam module development.
#解決方式 : 指定pam module的存放目錄
[root@jyc-blog pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/usr/lib64/security
