Details
-
Bug
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
-
10.4.6
-
None
Description
As a way to work around the numerous pam bugs in MariaDB 10.4.6, I tried to copy the pam plugins from MariaDB 10.3.16. This does not work, and it fails instantly without even asking for a password.
For example, copy the plugin from the 10,3 to the 10.4 server:
scp /usr/lib64/mysql/plugin/auth_pam.so 172.30.0.123:/tmp/
|
Then move the existing one on the 10.4 server:
sudo mv /usr/lib64/mysql/plugin/auth_pam.so /usr/lib64/mysql/plugin/auth_pam.so.original
|
And then install the one from 10.3:
sudo install /tmp/auth_pam.so /usr/lib64/mysql/plugin/
|
Create a Unix user account and set a password for the user:
sudo useradd alice
|
sudo passwd alice
|
Create the PAM service configuration:
sudo tee /etc/pam.d/mariadb <<EOF
|
auth required pam_unix.so audit
|
account required pam_unix.so audit
|
EOF
|
Then in MariaDB, install the plugin:
INSTALL SONAME 'auth_pam';
|
And then create the user account:
CREATE USER 'alice'@'localhost' IDENTIFIED VIA pam USING 'mariadb';
|
And then you need to do the /etc/shadow workaround for pam_unix:
sudo groupadd shadow
|
sudo usermod -a -G shadow mysql
|
sudo chown root:shadow /etc/shadow
|
sudo chmod g+r /etc/shadow
|
And then restart MariaDB:
sudo systemctl restart mariadb
|
And then, try to authenticate as the Unix account (while using the workaround for MDEV-19807):
$ mysql -u alice --plugin-dir=/usr/lib64/mysql/plugin
|
ERROR 1045 (28000): Access denied for user 'alice'@'localhost' (using password: NO)
|
Unlike in MDEV-19880, the syslog doesn't even show a failed password check.
Attachments
Issue Links
- is caused by
-
MDEV-7032 new pam plugin with a suid wrapper
-
- Closed
-
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Open
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Stalled
-