[MXS-2292] Allow PAM user and group mapping to work with more specific host than '%' - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 2.3.3
Fix Version/s: 2.3.5
Component/s: Authenticator
Labels:
None

Sprint:
MXS-SPRINT-75, MXS-SPRINT-76

Description

The query in PamInstance::query_anon_proxy_user and PamClientSession::get_pam_user_services specifically checks for the ''@'%' anonymous user:

    const char ANON_USER_QUERY[] = "SELECT authentication_string FROM mysql.user WHERE "

                                   "(plugin = 'pam' AND user = '' AND host = '%');";

Is it possible to make user and group mapping work with a more specific host than '%'? Some users do not like to create accounts that can authenticate from literally any host, since it opens up the possibility of things like brute force attacks.

https://github.com/mariadb-corporation/MaxScale/blob/75ea1b6ea1cedb3e11912368acb6ede625d38842/server/modules/authenticator/PAM/PAMAuth/pam_instance.cc#L309

https://github.com/mariadb-corporation/MaxScale/blob/26da72a41f1a603695da07da2b7c6cf8dff5a3cc/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc#L281

Attachments

Issue Links

relates to

MXS-2293 Monitor fails PAM authentication with error: Plugin dialog could not be loaded

Closed

MXS-2294 Document how to configure user and group mapping for PAM authenticators

Closed

MXS-334 Enable Pam.d Support

Closed

MXS-1758 Support PAM group mapping, like MariaDB Server does

Closed

MXS-2269 Document user and group mapping support for PAM authenticators

Closed

Activity

People

Assignee:: Esa Korhonen

Reporter:: Geoff Montee

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2019-01-25 22:13

Updated:: 2019-03-13 19:01

Resolved:: 2019-02-21 09:21