Manage SSH Users with MySQL backend
Yes. Linux authentication is based around the pluggable authentication modules (PAM) which allows for easy switching from one authentication backend to another. Simply install and configure a PAM MySQL module, with a corresponding user database in MySQL.
Pre-compiled packages are available in the EPEL archive for RHEL/CentOS as pam_mysql
and a pam-mysql
package should be available in Debian/Ubuntu.
While PAM-MySQL can manage login credentials, it is an incomplete solution, since it only handles the authentication portion. It does not create a user account on the system. For example:
-
ls -l
will not use PAM-MySQL to resolve UIDs to usernames. - The user's home directory is not stored in MySQL.
In other words, PAM-MySQL is a replacement for /etc/shadow
, not for /etc/passwd
. You will need to either create both an /etc/passwd
entry and a MySQL entry for each user, or supplement PAM-MySQL with NSS MySQL.
LDAP is indeed the better tool for the job, as you will be able to centralize the user account information in one place. I don't believe it is overpowered. Rather it's a kind of database that is specially designed to manage user accounts, so best practice would be to just use LDAP as a standard solution rather than hacking together a non-standard system with MySQL. Either OpenLDAP or 389 Directory Server would be a more appropriate user database than MySQL. (Both of them can be configured to use an SQL back-end, if you insist.)