Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2383

Support PAM authentications involving more than simple password exchanges

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.19, 2.3.4
    • Fix Version/s: 2.5.2
    • Component/s: Authenticator
    • Labels:
      None

      Description

      The documentation says the following:

      The current version of the MaxScale PAM authentication module only supports a simple password exchange. On the client side, the authentication begins with MaxScale sending an AuthSwitchRequest packet. In addition to the command, the packet contains the client plugin name dialog, a message type byte 4 and the message Password:. In the next packet, the client should send the password, which MaxScale will forward to the PAM API running on the local machine. If the password is correct, an OK packet is sent to the client. No additional PAM-related messaging is allowed, as this would indicate a more complicated authentication scheme.

      https://mariadb.com/kb/en/mariadb-maxscale-23-pam-authenticator/#implementation-details-and-limitations

      Some users would like MaxScale to support PAM authentications that involve more than a single simple password exchange. For example, some PAM configurations require two inputs to login--a regular user-set password, and a 2FA token from a service like Google Authenticator or RSA SecurID.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              esa.korhonen Esa Korhonen
              Reporter:
              GeoffMontee Geoff Montee
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: