Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19878

pam v2: pam password authentication doesn't work at all

    Details

      Description

      In MariaDB 10.4, version 2 of the pam plugin is provided. Unfortunately, password authentication seems to be completely broken.

      To reproduce, simply do the following:

      Create a Unix user account and set a password for the user:

      sudo useradd alice
      sudo passwd alice
      

      Create the PAM service configuration:

      sudo tee /etc/pam.d/mariadb <<EOF
      auth required pam_unix.so audit
      account required pam_unix.so audit
      EOF
      

      Then in MariaDB, install the plugin:

      INSTALL SONAME 'auth_pam';
      

      And then create the user account:

      CREATE USER 'alice'@'localhost' IDENTIFIED VIA pam USING 'mariadb';
      

      And then you might need to execute some commands to work around MDEV-19876:

      sudo chmod 0755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/
      sudo chmod 4755 /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
      

      And then, try to authenticate as the Unix account (while using the workaround for MDEV-19807):

      $ mysql -u alice --plugin-dir=/usr/lib64/mysql/plugin
      ERROR 1045 (28000): Access denied for user 'alice'@'localhost' (using password: NO)
      

      I thought that this might be caused by MDEV-19882, but the client does not even seem to be prompting for a password, so this bug seems different.

      The syslog shows the following:

      Jun 27 06:06:19 ip-172-30-0-123 auth_pam_tool: pam_unix(mariadb:auth): unexpected response from failed conversation function
      Jun 27 06:06:19 ip-172-30-0-123 auth_pam_tool: pam_unix(mariadb:auth): conversation failed
      Jun 27 06:06:19 ip-172-30-0-123 auth_pam_tool: pam_unix(mariadb:auth): unable to obtain a password
      Jun 27 06:06:19 ip-172-30-0-123 auth_pam_tool: pam_unix(mariadb:auth): auth could not identify password for [alice]
      

      And the strace output for the process running the auth_pam_tool utility shows the following:

      read(0, "\0", 1)                        = 1
      read(0, "\0\5", 2)                      = 2
      read(0, "alice", 5)                     = 5
      read(0, "\0\7", 2)                      = 2
      read(0, "mariadb", 7)                   = 7
      ...
      write(1, "C", 1)                        = 1
      write(1, "\0\v", 2)                     = 2
      write(1, "\4Password: ", 11)            = 11
      read(0, "\0\0", 2)                      = 2
      read(0, "", 0)                          = 0
      ...
      sendto(3, "<84>Jun 27 06:06:19 auth_pam_tool: pam_unix(mariadb:auth): unexpected response from failed conversation function", 112, MSG_NOSIGNAL, NULL, 0) = 112
      sendto(3, "<83>Jun 27 06:06:19 auth_pam_tool: pam_unix(mariadb:auth): conversation failed", 78, MSG_NOSIGNAL, NULL, 0) = 78
      sendto(3, "<87>Jun 27 06:06:19 auth_pam_tool: pam_unix(mariadb:auth): unable to obtain a password", 86, MSG_NOSIGNAL, NULL, 0) = 86
      sendto(3, "<82>Jun 27 06:06:19 auth_pam_tool: pam_unix(mariadb:auth): auth could not identify password for [alice]", 103, MSG_NOSIGNAL, NULL, 0) = 103
      

      And the strace output for the process running the client connection shows the following:

      recvfrom(44, "\244\0\0\1", 4, MSG_DONTWAIT, NULL, NULL) = 4
      recvfrom(44, "\204\246\337 \0\0\0\1!\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\0\0\0alice\0\0mysql_native_password\0f\3_os\5Linux\f_client_name\nlibmariadb\4_pid\0044750\17_client_version\0053.1.2\t_platform\6x86_64\fprogram_name\5mysql", 164, MSG_DONTWAIT, NULL, NULL) = 164
      pipe([45, 46])                          = 0
      pipe([47, 48])                          = 0
      clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f74e81329d0) = 4752
      close(45)                               = 0
      close(48)                               = 0
      sendto(44, "\10\0\0\2\376dialog\0", 12, MSG_DONTWAIT, NULL, 0) = 12
      recvfrom(44, "\1\0\0\3", 4, MSG_DONTWAIT, NULL, NULL) = 4
      recvfrom(44, "\0", 1, MSG_DONTWAIT, NULL, NULL) = 1
      write(46, "\0", 1)                      = 1
      write(46, "\0\5", 2)                    = 2
      write(46, "alice", 5)                   = 5
      write(46, "\0\7", 2)                    = 2
      write(46, "mariadb", 7)                 = 7
      read(47, "C", 1)                        = 1
      read(47, "\0\v", 2)                     = 2
      read(47, "\4Password: ", 11)            = 11
      write(46, "\0\0", 2)                    = 2
      write(46, "", 0)                        = 0
      read(47, "", 1)                         = 0
      --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4752, si_uid=997, si_status=255, si_utime=0, si_stime=0} ---
      close(46)                               = 0
      close(47)                               = 0
      clock_gettime(CLOCK_REALTIME, {1561615579, 586285461}) = 0
      write(2, "2019-06-27  6:06:19 9 [Warning] Access denied for user 'alice'@'localhost' (using password: NO)\n", 96) = 96
      sendto(44, "H\0\0\4\377\25\4#28000Access denied for user 'alice'@'localhost' (using password: NO)", 76, MSG_DONTWAIT, NULL, 0) = 76
      

      In the strace output for the client connection, it looks to me like the client is sending an empty password for some reason. This made me want to try testing how it worked if I provided the password on the command line. Even that fails:

      $ mysql -u alice --plugin-dir=/usr/lib64/mysql/plugin -palicemariadb
      ERROR 1045 (28000): Access denied for user 'alice'@'localhost' (using password: NO)
      

      And the strace output for that does show that the client connection received the proper password:

      recvfrom(44, "\270\0\0\1", 4, MSG_DONTWAIT, NULL, NULL) = 4
      recvfrom(44, "\204\246\337 \0\0\0\1!\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\0\0\0alice\0\24JQ\316\275'\353u\201\320\360S;\26Z\354H\301\317\266\24mysql_native_password\0f\3_os\5Linux\f_client_name\nlibmariadb\4_pid\0044917\17_client_version\0053.1.2\t_platform\6x86_64\fprogram_name\5mysql", 184, MSG_DONTWAIT, NULL, NULL) = 184
      pipe([45, 46])                          = 0
      pipe([47, 48])                          = 0
      clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f89c037e9d0) = 4919
      close(45)                               = 0
      close(48)                               = 0
      sendto(44, "\10\0\0\2\376dialog\0", 12, MSG_DONTWAIT, NULL, 0) = 12
      recvfrom(44, "\r\0\0\3", 4, MSG_DONTWAIT, NULL, NULL) = 4
      recvfrom(44, "alicemariadb\0", 13, MSG_DONTWAIT, NULL, NULL) = 13
      write(46, "\0", 1)                      = 1
      write(46, "\0\5", 2)                    = 2
      write(46, "alice", 5)                   = 5
      write(46, "\0\7", 2)                    = 2
      write(46, "mariadb", 7)                 = 7
      read(47, "C", 1)                        = 1
      read(47, "\0\v", 2)                     = 2
      read(47, "\4Password: ", 11)            = 11
      write(46, "\0\0", 2)                    = 2
      write(46, "", 0)                        = 0
      read(47, "", 1)                         = 0
      --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4919, si_uid=997, si_status=255, si_utime=0, si_stime=0} ---
      close(46)                               = 0
      close(47)                               = 0
      clock_gettime(CLOCK_REALTIME, {1561616363, 716309324}) = 0
      write(2, "2019-06-27  6:19:23 9 [Warning] Access denied for user 'alice'@'localhost' (using password: NO)\n", 96) = 96
      sendto(44, "H\0\0\4\377\25\4#28000Access denied for user 'alice'@'localhost' (using password: NO)", 76, MSG_DONTWAIT, NULL, 0) = 76
      

      It just doesn't seem to be passing the proper password to the auth_pam_tool process.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                serg Sergei Golubchik
                Reporter:
                GeoffMontee Geoff Montee
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: