SQL module and credentials configured in the clear

Brendan Kearney bpk678 at gmail.com
Thu Apr 28 23:57:43 UTC 2022

for a myraid of purposes, i have my radius servers connect to MariaDB, 
and have configured mods-available/sql with the requisite user/pass 
credential set.  i am wondering if the case can be made to add/include 
the option to use the keytab created and used for LDAP connectivity.  
having a user/pass combo in clear text on the filesystem is no-no in 
many organizations.

per the mariadb docs, i setup gssapi and created my user and used gssapi 
for authentication

create the user that matches what is configured in the keytab in mariadb:
/create user 'radius\/server2.bpk2.com' identified via gssapi;/

note the hard quoting and escaping of the forward slash.  this was the 
only combination that resulted in the user being successfully created 
for me.

i authenticated with the keytab, and pulled a TGT:
/    [root at server1 raddb]# kinit -kt radius.keytab -p 
//    [root at server1 raddb]# klist//
//    Ticket cache: FILE:/tmp/krb5cc_0//
//    Default principal: radius/server1.bpk2.com at BPK2.COM//
//    Valid starting       Expires              Service principal//
//    04/28/2022 19:47:51  04/29/2022 19:47:51 krbtgt/BPK2.COM at BPK2.COM//
//        renew until 05/05/2022 19:47:51/

then i connected to the database using the identity:
/    [root at server1 raddb]# mysql -h database -u radius/server1.bpk2.com 
//    Reading table information for completion of table and column names//
//    You can turn off this feature to get a quicker startup with -A//
//    Welcome to the MariaDB monitor.  Commands end with ; or \g.//
//    Your MariaDB connection id is 125319//
//    Server version: 10.4.19-MariaDB MariaDB Server//
//    Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.//
//    Type 'help;' or '\h' for help. Type '\c' to clear the current 
input statement.//
//    MariaDB [radius]> show tables;//
//    +------------------------+//
//    | Tables_in_radius       |//
//    +------------------------+//
//    .../

/    MariaDB [radius]> status//
//    --------------//
//    mysql  Ver 15.1 Distrib 10.4.19-MariaDB, for Linux (x86_64) using  
EditLine wrapper//
//    Connection id:        125319//
//    Current database:    radius//
//    Current user: radius/server1.bpk2.com at server1.bpk2.com/

it is entirely possible to use the keytab and connect to a properly 
configured mariadb instance with a keytab.  can the functionality to 
authenticate to databases like mariadb with the keytab be added?

thank you,


More information about the Freeradius-Users mailing list