Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19877

pam v2: auth_pam_tool input format is not user friendly for debugging

    XMLWordPrintable

    Details

      Description

      In MariaDB 10.4, version 2 of the pam plugin is provided. This plugin forks a new process and executes the auth_pam_tool utility that is now bundled with the server.

      There are probably going to be cases where people need to execute this tool manually as a test. Unfortunately, the input format of this tool is not very user friendly.

      One method that can be used to construct the tool's input and run the tool for testing purposes is described below.

      Configuring PAM

      First we can configure PAM.

      Create a Unix user account and set a password for the user:

      sudo useradd alice
      sudo passwd alice
      

      Create the PAM service configuration:

      sudo tee /etc/pam.d/mariadb <<EOF
      auth required pam_unix.so audit
      account required pam_unix.so audit
      EOF
      

      And then you might need to execute some commands to work around MDEV-19876:

      sudo chmod 0755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/
      sudo chmod 4755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
      

      Configuring MariaDB

      We can configure MariaDB to use PAM authentication for this user account.

      Let's install the pam plugin:

      INSTALL SONAME 'auth_pam';
      

      And let's create the relevant user:

      CREATE USER 'alice'@'localhost' IDENTIFIED VIA pam USING 'mariadb'
      

      Constructing the Input

      Next we can construct the input for the auth_pam_tool tool.

      As far as I can tell, the input format of the data that needs to be passed to stdin is:

      <control flag field><length of user name field as 2-byte integer><user name field><length of auth string field as 2-byte integer><auth string field><length of password field as 2-byte integer><password field>
      

      So let's say that we have the following values:

      control flag:
         string=0
       
      user name:
         string=alice
         length=5
         length as 2 bytes in hex = 0x05
         
      auth string:
         string=mariadb
         length=7
         length as 2 bytes in hex = 0x07
       
      password:
         string=uGBXHxID3dJRALw2
         length=16
         length as 2 bytes in hex = 0x10
      

      So that would make the stdin data:

      0\x05alice\x07mariadb\x10uGBXHxID3dJRALw2
      

      Let's create input with a null-terminated password:

      echo -n -e '0\0\x05alice\0\x07mariadb\0\x11uGBXHxID3dJRALw2\0' > good_input.txt
      

      And let's also create input with a password that is not null-terminated:

      echo -n -e '0\0\x05alice\0\x07mariadb\0\x10uGBXHxID3dJRALw2' > bad_input.txt
      

      And then confirm the contents of each file:

      $ hexdump -c good_input.txt
      0000000   0  \0 005   a   l   i   c   e  \0  \a   m   a   r   i   a   d
      0000010   b  \0 021   u   G   B   X   H   x   I   D   3   d   J   R   A
      0000020   L   w   2  \0
      0000024
      $ hexdump -c bad_input.txt
      0000000   0  \0 005   a   l   i   c   e  \0  \a   m   a   r   i   a   d
      0000010   b  \0 020   u   G   B   X   H   x   I   D   3   d   J   R   A
      0000020   L   w   2
      0000023
      

      Running the Tool

      Next, we can run the auth_pam_tool tool and redirect the tool's stdin to the input files that we constructed.

      We can also attach strace to the process, so we can passwords the tool is reading and writing.

      First, run the tool with the good input:

      cat good_input.txt | sudo strace -o strace_good_input.out -f -ff /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
      

      The null-terminated password is properly read and passed to PAM:

      write(1, "C", 1)                        = 1
      write(1, "\0\v", 2)                     = 2
      write(1, "\4Password: ", 11)            = 11
      read(0, "\0\21", 2)                     = 2
      read(0, "uGBXHxID3dJRALw2\0", 17)       = 17
      ...
      write(4, "uGBXHxID3dJRALw2", 16)        = 16
      write(4, "\0", 1)                       = 1
      

      Next, run the tool with the bad input:

      cat bad_input.txt | sudo strace -o strace_bad_input.out -f -ff /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
      

      The non-null-terminated password is properly read, but its last character is truncated when it is passed to PAM due to MDEV-19882:

      write(1, "C", 1)                        = 1
      write(1, "\0\v", 2)                     = 2
      write(1, "\4Password: ", 11)            = 11
      read(0, "\0\20", 2)                     = 2
      read(0, "uGBXHxID3dJRALw2", 16)         = 16
      ...
      write(4, "uGBXHxID3dJRALw", 15)         = 15
      write(4, "\0", 1)                       = 1
      

      Checking Syslog

      The syslog (i.e. /var/log/secure on RHEL or /var/log/auth.log on Debian/Ubuntu) also shows an authentication failure, since the auth_pam_tool
      tool provided a truncated password to PAM:

      Oct 16 02:24:14 ip-172-30-0-123 unix_chkpwd[11398]: password check failed for user (alice)
      Oct 16 02:24:14 ip-172-30-0-123 auth_pam_tool: pam_unix(mariadb:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=alice
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              serg Sergei Golubchik
              Reporter:
              GeoffMontee Geoff Montee
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: