Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2292

Allow PAM user and group mapping to work with more specific host than '%'

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.3.3
    • Fix Version/s: 2.3.5
    • Component/s: Authenticator
    • Labels:
      None
    • Sprint:
      MXS-SPRINT-75, MXS-SPRINT-76

      Description

      The query in PamInstance::query_anon_proxy_user and PamClientSession::get_pam_user_services specifically checks for the ''@'%' anonymous user:

          const char ANON_USER_QUERY[] = "SELECT authentication_string FROM mysql.user WHERE "
                                         "(plugin = 'pam' AND user = '' AND host = '%');";
      

      Is it possible to make user and group mapping work with a more specific host than '%'? Some users do not like to create accounts that can authenticate from literally any host, since it opens up the possibility of things like brute force attacks.

      https://github.com/mariadb-corporation/MaxScale/blob/75ea1b6ea1cedb3e11912368acb6ede625d38842/server/modules/authenticator/PAM/PAMAuth/pam_instance.cc#L309

      https://github.com/mariadb-corporation/MaxScale/blob/26da72a41f1a603695da07da2b7c6cf8dff5a3cc/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc#L281

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                esa.korhonen Esa Korhonen
                Reporter:
                GeoffMontee Geoff Montee
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: