Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2383

Support PAM authentications involving more than simple password exchanges

    Details

    • Type: New Feature
    • Status: Confirmed (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.2.19, 2.3.4
    • Fix Version/s: 2.7
    • Component/s: Authenticator
    • Labels:
      None

      Description

      The documentation says the following:

      The current version of the MaxScale PAM authentication module only supports a simple password exchange. On the client side, the authentication begins with MaxScale sending an AuthSwitchRequest packet. In addition to the command, the packet contains the client plugin name dialog, a message type byte 4 and the message Password:. In the next packet, the client should send the password, which MaxScale will forward to the PAM API running on the local machine. If the password is correct, an OK packet is sent to the client. No additional PAM-related messaging is allowed, as this would indicate a more complicated authentication scheme.

      https://mariadb.com/kb/en/mariadb-maxscale-23-pam-authenticator/#implementation-details-and-limitations

      Some users would like MaxScale to support PAM authentications that involve more than a single simple password exchange. For example, some PAM configurations require two inputs to login--a regular user-set password, and a 2FA token from a service like Google Authenticator or RSA SecurID.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                toddstoffel Todd Stoffel
                Reporter:
                GeoffMontee Geoff Montee
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: