[MXS-2383] Support PAM authentications involving more than simple password exchanges - Jira

XML

Word

Printable

Details

Type: New Feature
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 2.2.19, 2.3.4
Fix Version/s: 2.5.2
Component/s: Authenticator
Labels:
None

Epic Link:
Security Improvements
Sprint:
MXS-SPRINT-111, MXS-SPRINT-112

Description

The documentation says the following:

The current version of the MaxScale PAM authentication module only supports a simple password exchange. On the client side, the authentication begins with MaxScale sending an AuthSwitchRequest packet. In addition to the command, the packet contains the client plugin name dialog, a message type byte 4 and the message Password:. In the next packet, the client should send the password, which MaxScale will forward to the PAM API running on the local machine. If the password is correct, an OK packet is sent to the client. No additional PAM-related messaging is allowed, as this would indicate a more complicated authentication scheme.

https://mariadb.com/kb/en/mariadb-maxscale-23-pam-authenticator/#implementation-details-and-limitations

Some users would like MaxScale to support PAM authentications that involve more than a single simple password exchange. For example, some PAM configurations require two inputs to login--a regular user-set password, and a 2FA token from a service like Google Authenticator or RSA SecurID.

Attachments

Issue Links

relates to

MXS-334 Enable Pam.d Support

Closed

Activity

People

Assignee:: Esa Korhonen

Reporter:: Geoff Montee (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2019-03-13 19:02

Updated:: 2024-07-07 17:12

Resolved:: 2020-08-07 12:34

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.