EmergencyEMERGENCY? Get 24/7 Help Now!

How to use a smartphone for two-factor authentication with Percona Server for MySQL

 | February 24, 2013 |  Posted In: MySQL, Percona Software

PREVIOUS POST
NEXT POST

In this post I will describe a non-trivial way to authenticate users in Percona Sever for MySQL. Percona Server comes with PAM authentication plugin, which allows you to do a lot of cool things, such as: OS authentication, LDAP authentication, even RSA Secure Server authentication (which is useful if you are required a PCI-compliance), and use Google Authenticator, which is the topic of this post.

How to use a smartphone for two-factor authentication with Percona Server for MySQL
You can use a smartphone for two-factor authentication with Percona Server for MySQL

With two-factor authentication a user is required to enter not only password, but to have an additional security token, which in the case with Google Authenticator can be your cell-phone (clients are available for Android, iPhone, Windows Mobile or BlackBerry with the full list here). This way an attacker will need not only steal or guess password, but also to gain an access to cell phone, which is not impossible, but makes things more complicated.

The setup actually is quite easy if you follow steps:

1. Enable PAM plugin (more in our documentation):

2. Configure PAM for mysqld process by putting into /etc/pam.d/mysqld file:

3. Create a user in the server:

After this we already able to authenticate using an OS account (assuming there is an account for user ‘vadim’)

4. Now, to install pam-google-authenticator, there are possible ways:

5. From the user account, we setup authentication for, run google-authenticator for an initial setup.

It outputs URL, when you use it will produce an QRCode, like:
QRCode
which you scan from smartphone Authentificator application to connect accounts, or
just manually enter secret key.

6. Instruct PAM to use google authentificator, add to /etc/pam.d/mysqld

7. All set, now when I try to login with user ‘vadim’, the server asks me both password and Verification Code (generated on my smartphone in Authentificator application)

Authentificating against LDAP server is not much more complicated, once you have LDAP running, just replace
pam_unix to pam_ldap in /etc/pam.d/mysqld

This was just an example, but to show a Percona Server’s feature: a complex authentication which satisfies Enterprise-grade security requirements.

PREVIOUS POST
NEXT POST
Vadim Tkachenko

Vadim Tkachenko co-founded Percona in 2006 and serves as its Chief Technology Officer. Vadim leads Percona Labs, which focuses on technology research and performance evaluations of Percona’s and third-party products. Percona Labs designs no-gimmick tests of hardware, filesystems, storage engines, and databases that surpass the standard performance and functionality scenario benchmarks. Vadim’s expertise in LAMP performance and multi-threaded programming help optimize MySQL and InnoDB internals to take full advantage of modern hardware. Oracle Corporation and its predecessors have incorporated Vadim’s source code patches into the mainstream MySQL and InnoDB products. He also co-authored the book High Performance MySQL: Optimization, Backups, and Replication 3rd Edition.

Leave a Reply

 
 

Percona’s widely read Percona Data Performance blog highlights our expertise in enterprise-class software, support, consulting and managed services solutions for both MySQL® and MongoDB® across traditional and cloud-based platforms. The decades of experience represented by our consultants is found daily in numerous and relevant blog posts.

Besides specific database help, the blog also provides notices on upcoming events and webinars.
Want to get weekly updates listing the latest blog posts? Subscribe to our blog now! Submit your email address below and we’ll send you an update every Friday at 1pm ET.

No, thank you. Please do not ask me again.