In MariaDB 10.4, version 2 of the pam plugin is provided. This plugin forks a new process and executes the auth_pam_tool utility that is now bundled with the server.
Unfortunately, it seems to truncate passwords that are not null-terminated, because it always seems to assume that the last character is the NULL terminator.
This is a problem because some implementations of mysql_clear_password don't seem to null-terminate passwords.
The problem is fairly easy to reproduce.
We can configure PAM using the steps from MDEV-19877.
Create a Unix user account and set a password for the user:
Create the PAM service configuration:
And then you might need to execute some commands to work around
We can configure PAM to use PAM authentication for this user account using the steps from MDEV-19877.
Let's install the pam plugin:
And let's create the relevant user:
We can construct the input for the auth_pam_tool tool using the information from MDEV-19877.
Let's assume that the alice user's password is uGBXHxID3dJRALw2.
Let's create input with a null-terminated password:
And let's also create input with a password that is not null-terminated:
And then confirm the contents of each file:
Next, we can run the auth_pam_tool tool and redirect the tool's stdin to the input files that we constructed.
We can also attach strace to the process, so we can passwords the tool is reading and writing.
First, run the tool with the good input:
The null-terminated password is properly read and passed to PAM:
Next, run the tool with the bad input:
The non-null-terminated password is properly read, but its last character is truncated when it is passed to PAM:
The syslog (i.e. /var/log/secure on RHEL or /var/log/auth.log on Debian/Ubuntu) also shows an authentication failure, since the auth_pam_tool
tool provided a truncated password to PAM: