Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
MySQL has a client side plugin to prevent password hashing. This is required when using PAM authentication.
From the documentation -
The mysql_options() C API function supports a MYSQL_ENABLE_CLEARTEXT_PLUGIN option that enables the plugin on a per-connection basis.
Is there something similar in MariaDB. Using the same option gives an error.
MariaDB has MySQL's "cleartext" plugin, but we don't use it. This plugin is only used by the MySQL closed source PAM plugin. That plugin has incomplete PAM implementation, that only allows pam modules to ask for a password.
Our PAM plugin uses "dialog" plugin, and implements PAM fully, supporting any number of arbitrary prompts and questions. See https://kb.askmonty.org/en/pam-authentication-plugin/ and http://blog.mariadb.org/security-with-two-step-verification/