Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19881

pam plugin from MariaDB 10.3 doesn't work with MariaDB 10.4

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Minor
    • Resolution: Unresolved
    • 10.4.6
    • 10.3
    • Plugin - pam
    • None

    Description

      As a way to work around the numerous pam bugs in MariaDB 10.4.6, I tried to copy the pam plugins from MariaDB 10.3.16. This does not work, and it fails instantly without even asking for a password.

      For example, copy the plugin from the 10,3 to the 10.4 server:

      scp  /usr/lib64/mysql/plugin/auth_pam.so 172.30.0.123:/tmp/
      

      Then move the existing one on the 10.4 server:

      sudo mv /usr/lib64/mysql/plugin/auth_pam.so /usr/lib64/mysql/plugin/auth_pam.so.original
      

      And then install the one from 10.3:

      sudo install /tmp/auth_pam.so /usr/lib64/mysql/plugin/
      

      Create a Unix user account and set a password for the user:

      sudo useradd alice
      sudo passwd alice
      

      Create the PAM service configuration:

      sudo tee /etc/pam.d/mariadb <<EOF
      auth required pam_unix.so audit
      account required pam_unix.so audit
      EOF
      

      Then in MariaDB, install the plugin:

      INSTALL SONAME 'auth_pam';
      

      And then create the user account:

      CREATE USER 'alice'@'localhost' IDENTIFIED VIA pam USING 'mariadb';
      

      And then you need to do the /etc/shadow workaround for pam_unix:

      sudo groupadd shadow
      sudo usermod -a -G shadow mysql
      sudo chown root:shadow /etc/shadow
      sudo chmod g+r /etc/shadow
      

      And then restart MariaDB:

      sudo systemctl restart mariadb
      

      And then, try to authenticate as the Unix account (while using the workaround for MDEV-19807):

      $ mysql -u alice --plugin-dir=/usr/lib64/mysql/plugin
      ERROR 1045 (28000): Access denied for user 'alice'@'localhost' (using password: NO)
      

      Unlike in MDEV-19880, the syslog doesn't even show a failed password check.

      Attachments

        Issue Links

          Activity

            People

              serg Sergei Golubchik
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.