Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.4.6
-
None
Description
In MariaDB 10.4, version 2 of the pam plugin is provided. Unfortunately, password authentication seems to be completely broken.
To reproduce, simply do the following:
Create a Unix user account and set a password for the user:
sudo useradd alice
|
sudo passwd alice
|
Create the PAM service configuration:
sudo tee /etc/pam.d/mariadb <<EOF
|
auth required pam_unix.so audit
|
account required pam_unix.so audit
|
EOF
|
Then in MariaDB, install the plugin:
INSTALL SONAME 'auth_pam';
|
And then create the user account:
CREATE USER 'alice'@'localhost' IDENTIFIED VIA pam USING 'mariadb';
|
And then you might need to execute some commands to work around MDEV-19876:
sudo chmod 0755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/
|
sudo chmod 4755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
|
And then, try to authenticate as the Unix account (while using the workaround for MDEV-19807):
$ mysql -u alice --plugin-dir=/usr/lib64/mysql/plugin
|
ERROR 1045 (28000): Access denied for user 'alice'@'localhost' (using password: NO)
|
I thought that this might be caused by MDEV-19882, but the client does not even seem to be prompting for a password, so this bug seems different.
The syslog shows the following:
Jun 27 06:06:19 ip-172-30-0-123 auth_pam_tool: pam_unix(mariadb:auth): unexpected response from failed conversation function
|
Jun 27 06:06:19 ip-172-30-0-123 auth_pam_tool: pam_unix(mariadb:auth): conversation failed
|
Jun 27 06:06:19 ip-172-30-0-123 auth_pam_tool: pam_unix(mariadb:auth): unable to obtain a password
|
Jun 27 06:06:19 ip-172-30-0-123 auth_pam_tool: pam_unix(mariadb:auth): auth could not identify password for [alice]
|
And the strace output for the process running the auth_pam_tool utility shows the following:
read(0, "\0", 1) = 1
|
read(0, "\0\5", 2) = 2
|
read(0, "alice", 5) = 5
|
read(0, "\0\7", 2) = 2
|
read(0, "mariadb", 7) = 7
|
...
|
write(1, "C", 1) = 1
|
write(1, "\0\v", 2) = 2
|
write(1, "\4Password: ", 11) = 11
|
read(0, "\0\0", 2) = 2
|
read(0, "", 0) = 0
|
...
|
sendto(3, "<84>Jun 27 06:06:19 auth_pam_tool: pam_unix(mariadb:auth): unexpected response from failed conversation function", 112, MSG_NOSIGNAL, NULL, 0) = 112
|
sendto(3, "<83>Jun 27 06:06:19 auth_pam_tool: pam_unix(mariadb:auth): conversation failed", 78, MSG_NOSIGNAL, NULL, 0) = 78
|
sendto(3, "<87>Jun 27 06:06:19 auth_pam_tool: pam_unix(mariadb:auth): unable to obtain a password", 86, MSG_NOSIGNAL, NULL, 0) = 86
|
sendto(3, "<82>Jun 27 06:06:19 auth_pam_tool: pam_unix(mariadb:auth): auth could not identify password for [alice]", 103, MSG_NOSIGNAL, NULL, 0) = 103
|
And the strace output for the process running the client connection shows the following:
recvfrom(44, "\244\0\0\1", 4, MSG_DONTWAIT, NULL, NULL) = 4
|
recvfrom(44, "\204\246\337 \0\0\0\1!\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\0\0\0alice\0\0mysql_native_password\0f\3_os\5Linux\f_client_name\nlibmariadb\4_pid\0044750\17_client_version\0053.1.2\t_platform\6x86_64\fprogram_name\5mysql", 164, MSG_DONTWAIT, NULL, NULL) = 164
|
pipe([45, 46]) = 0
|
pipe([47, 48]) = 0
|
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f74e81329d0) = 4752
|
close(45) = 0
|
close(48) = 0
|
sendto(44, "\10\0\0\2\376dialog\0", 12, MSG_DONTWAIT, NULL, 0) = 12
|
recvfrom(44, "\1\0\0\3", 4, MSG_DONTWAIT, NULL, NULL) = 4
|
recvfrom(44, "\0", 1, MSG_DONTWAIT, NULL, NULL) = 1
|
write(46, "\0", 1) = 1
|
write(46, "\0\5", 2) = 2
|
write(46, "alice", 5) = 5
|
write(46, "\0\7", 2) = 2
|
write(46, "mariadb", 7) = 7
|
read(47, "C", 1) = 1
|
read(47, "\0\v", 2) = 2
|
read(47, "\4Password: ", 11) = 11
|
write(46, "\0\0", 2) = 2
|
write(46, "", 0) = 0
|
read(47, "", 1) = 0
|
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4752, si_uid=997, si_status=255, si_utime=0, si_stime=0} ---
|
close(46) = 0
|
close(47) = 0
|
clock_gettime(CLOCK_REALTIME, {1561615579, 586285461}) = 0
|
write(2, "2019-06-27 6:06:19 9 [Warning] Access denied for user 'alice'@'localhost' (using password: NO)\n", 96) = 96
|
sendto(44, "H\0\0\4\377\25\4#28000Access denied for user 'alice'@'localhost' (using password: NO)", 76, MSG_DONTWAIT, NULL, 0) = 76
|
In the strace output for the client connection, it looks to me like the client is sending an empty password for some reason. This made me want to try testing how it worked if I provided the password on the command line. Even that fails:
$ mysql -u alice --plugin-dir=/usr/lib64/mysql/plugin -palicemariadb
|
ERROR 1045 (28000): Access denied for user 'alice'@'localhost' (using password: NO)
|
And the strace output for that does show that the client connection received the proper password:
recvfrom(44, "\270\0\0\1", 4, MSG_DONTWAIT, NULL, NULL) = 4
|
recvfrom(44, "\204\246\337 \0\0\0\1!\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\0\0\0alice\0\24JQ\316\275'\353u\201\320\360S;\26Z\354H\301\317\266\24mysql_native_password\0f\3_os\5Linux\f_client_name\nlibmariadb\4_pid\0044917\17_client_version\0053.1.2\t_platform\6x86_64\fprogram_name\5mysql", 184, MSG_DONTWAIT, NULL, NULL) = 184
|
pipe([45, 46]) = 0
|
pipe([47, 48]) = 0
|
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f89c037e9d0) = 4919
|
close(45) = 0
|
close(48) = 0
|
sendto(44, "\10\0\0\2\376dialog\0", 12, MSG_DONTWAIT, NULL, 0) = 12
|
recvfrom(44, "\r\0\0\3", 4, MSG_DONTWAIT, NULL, NULL) = 4
|
recvfrom(44, "alicemariadb\0", 13, MSG_DONTWAIT, NULL, NULL) = 13
|
write(46, "\0", 1) = 1
|
write(46, "\0\5", 2) = 2
|
write(46, "alice", 5) = 5
|
write(46, "\0\7", 2) = 2
|
write(46, "mariadb", 7) = 7
|
read(47, "C", 1) = 1
|
read(47, "\0\v", 2) = 2
|
read(47, "\4Password: ", 11) = 11
|
write(46, "\0\0", 2) = 2
|
write(46, "", 0) = 0
|
read(47, "", 1) = 0
|
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4919, si_uid=997, si_status=255, si_utime=0, si_stime=0} ---
|
close(46) = 0
|
close(47) = 0
|
clock_gettime(CLOCK_REALTIME, {1561616363, 716309324}) = 0
|
write(2, "2019-06-27 6:19:23 9 [Warning] Access denied for user 'alice'@'localhost' (using password: NO)\n", 96) = 96
|
sendto(44, "H\0\0\4\377\25\4#28000Access denied for user 'alice'@'localhost' (using password: NO)", 76, MSG_DONTWAIT, NULL, 0) = 76
|
It just doesn't seem to be passing the proper password to the auth_pam_tool process.
Attachments
Issue Links
- is caused by
-
MDEV-7032 new pam plugin with a suid wrapper
-
- Closed
-
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Open
-
-
-
- Closed
-
-
-
- Open
-
-
-
- Closed
-
-
-
- Stalled
-