[MDEV-19877] pam v2: auth_pam_tool input format is not user friendly for debugging - Jira

XML

Word

Printable

Details

Type: Task
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Fix Version/s: None
Component/s: Plugin - pam
Labels:
None

Description

In MariaDB 10.4, version 2 of the pam plugin is provided. This plugin forks a new process and executes the auth_pam_tool utility that is now bundled with the server.

There are probably going to be cases where people need to execute this tool manually as a test. Unfortunately, the input format of this tool is not very user friendly.

One method that can be used to construct the tool's input and run the tool for testing purposes is described below.

Configuring PAM

First we can configure PAM.

Create a Unix user account and set a password for the user:

sudo useradd alice

sudo passwd alice

Create the PAM service configuration:

sudo tee /etc/pam.d/mariadb <<EOF

auth required pam_unix.so audit

account required pam_unix.so audit

EOF

And then you might need to execute some commands to work around ~~MDEV-19876~~:

sudo chmod 0755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/

sudo chmod 4755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool

Configuring MariaDB

We can configure MariaDB to use PAM authentication for this user account.

Let's install the pam plugin:

INSTALL SONAME 'auth_pam';

And let's create the relevant user:

CREATE USER 'alice'@'localhost' IDENTIFIED VIA pam USING 'mariadb'

Constructing the Input

Next we can construct the input for the auth_pam_tool tool.

As far as I can tell, the input format of the data that needs to be passed to stdin is:

<control flag field><length of user name field as 2-byte integer><user name field><length of auth string field as 2-byte integer><auth string field><length of password field as 2-byte integer><password field>

So let's say that we have the following values:

control flag:

   string=0

user name:

   string=alice

   length=5

   length as 2 bytes in hex = 0x05

auth string:

   string=mariadb

   length=7

   length as 2 bytes in hex = 0x07

password:

   string=uGBXHxID3dJRALw2

   length=16

   length as 2 bytes in hex = 0x10

So that would make the stdin data:

0\x05alice\x07mariadb\x10uGBXHxID3dJRALw2

Let's create input with a null-terminated password:

echo -n -e '0\0\x05alice\0\x07mariadb\0\x11uGBXHxID3dJRALw2\0' > good_input.txt

And let's also create input with a password that is not null-terminated:

echo -n -e '0\0\x05alice\0\x07mariadb\0\x10uGBXHxID3dJRALw2' > bad_input.txt

And then confirm the contents of each file:

$ hexdump -c good_input.txt

0000000   0  \0 005   a   l   i   c   e  \0  \a   m   a   r   i   a   d

0000010   b  \0 021   u   G   B   X   H   x   I   D   3   d   J   R   A

0000020   L   w   2  \0

$ hexdump -c bad_input.txt

0000000   0  \0 005   a   l   i   c   e  \0  \a   m   a   r   i   a   d

0000010   b  \0 020   u   G   B   X   H   x   I   D   3   d   J   R   A

0000020   L   w   2

Running the Tool

Next, we can run the auth_pam_tool tool and redirect the tool's stdin to the input files that we constructed.

We can also attach strace to the process, so we can passwords the tool is reading and writing.

First, run the tool with the good input:

cat good_input.txt | sudo strace -o strace_good_input.out -f -ff /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool

The null-terminated password is properly read and passed to PAM:

write(1, "C", 1)                        = 1

write(1, "\0\v", 2)                     = 2

write(1, "\4Password: ", 11)            = 11

read(0, "\0\21", 2)                     = 2

read(0, "uGBXHxID3dJRALw2\0", 17)       = 17

...

write(4, "uGBXHxID3dJRALw2", 16)        = 16

write(4, "\0", 1)                       = 1

Next, run the tool with the bad input:

cat bad_input.txt | sudo strace -o strace_bad_input.out -f -ff /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool

The non-null-terminated password is properly read, but its last character is truncated when it is passed to PAM due to ~~MDEV-19882~~:

write(1, "C", 1)                        = 1

write(1, "\0\v", 2)                     = 2

write(1, "\4Password: ", 11)            = 11

read(0, "\0\20", 2)                     = 2

read(0, "uGBXHxID3dJRALw2", 16)         = 16

...

write(4, "uGBXHxID3dJRALw", 15)         = 15

write(4, "\0", 1)                       = 1

Checking Syslog

The syslog (i.e. /var/log/secure on RHEL or /var/log/auth.log on Debian/Ubuntu) also shows an authentication failure, since the auth_pam_tool
tool provided a truncated password to PAM:

Oct 16 02:24:14 ip-172-30-0-123 unix_chkpwd[11398]: password check failed for user (alice)

Oct 16 02:24:14 ip-172-30-0-123 auth_pam_tool: pam_unix(mariadb:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=alice

Attachments

Issue Links

is caused by

MDEV-7032 new pam plugin with a suid wrapper

Closed

MDEV-15473 Isolate/sandbox PAM modules, so that they can't crash the server

Closed

relates to

MDEV-19878 pam v2: pam password authentication doesn't work at all

Closed

MDEV-19879 server can send empty error message to client with pam_use_cleartext_plugin

Closed

MDEV-19880 pam v1: pam password authentication doesn't work at all in MariaDB 10.4

Closed

MDEV-19881 pam plugin from MariaDB 10.3 doesn't work with MariaDB 10.4

Open

MDEV-19876 pam v2: auth_pam_tool_dir and auth_pam_tool permissions are wrong in RPMs

Closed

MDEV-19882 pam v2: auth_pam_tool truncates passwords that are not null-terminated

Closed

MDEV-19898 PAM plugin testing

Stalled

(4 relates to)

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Geoff Montee (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2019-06-27 01:00

Updated:: 2021-08-16 11:08

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.