Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19496

PAM authentication credentials should always be encrypted

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Won't Fix
    • None
    • N/A
    • Plugin - pam
    • None

    Description

      I am filing this as a bug as this seems to be a security hole from a user perspective.

      PAM auth plugin should utilize encryption for credentials just as is expected with default authentication methods (perhaps via the default authentication plugin or other encryption scheme).

      This should happen regardless of TLS or REQUIRE SSL grant etc.

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          manjot Manjot Singh (Inactive) created issue -
          serg Sergei Golubchik added a comment -

          authentication plugins are responsible for the authentication, not encryption.

          MariaDB cannot and should not require every single authentication plugin to implement its own on-the-wire encryption. That's what we have SSL for.

          serg Sergei Golubchik added a comment - authentication plugins are responsible for the authentication, not encryption. MariaDB cannot and should not require every single authentication plugin to implement its own on-the-wire encryption. That's what we have SSL for.
          serg Sergei Golubchik made changes -
          Field Original Value New Value
          Fix Version/s N/A [ 14700 ]
          Assignee Sergei Golubchik [ serg ]
          Resolution Won't Fix [ 2 ]
          Status Open [ 1 ] Closed [ 6 ]
          manjot Manjot Singh (Inactive) added a comment -

          @sergei - SSL has the overhead of encrypting ALL client traffic (data and queries) there are use cases where a user does not want or need that but also does not want passwords to go in plain text, especially when it has the risk of exposing an organization's total LDAP/Kerberos/etc infrastructure.

          manjot Manjot Singh (Inactive) added a comment - @sergei - SSL has the overhead of encrypting ALL client traffic (data and queries) there are use cases where a user does not want or need that but also does not want passwords to go in plain text, especially when it has the risk of exposing an organization's total LDAP/Kerberos/etc infrastructure.
          serg Sergei Golubchik made changes -
          Workflow MariaDB v3 [ 96781 ] MariaDB v4 [ 156207 ]

          People

            serg Sergei Golubchik
            manjot Manjot Singh (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.