Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2383

Support PAM authentications involving more than simple password exchanges

    XMLWordPrintable

Details

    • New Feature
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 2.2.19, 2.3.4
    • 2.5.2
    • Authenticator
    • None

    Description

      The documentation says the following:

      The current version of the MaxScale PAM authentication module only supports a simple password exchange. On the client side, the authentication begins with MaxScale sending an AuthSwitchRequest packet. In addition to the command, the packet contains the client plugin name dialog, a message type byte 4 and the message Password:. In the next packet, the client should send the password, which MaxScale will forward to the PAM API running on the local machine. If the password is correct, an OK packet is sent to the client. No additional PAM-related messaging is allowed, as this would indicate a more complicated authentication scheme.

      https://mariadb.com/kb/en/mariadb-maxscale-23-pam-authenticator/#implementation-details-and-limitations

      Some users would like MaxScale to support PAM authentications that involve more than a single simple password exchange. For example, some PAM configurations require two inputs to login--a regular user-set password, and a 2FA token from a service like Google Authenticator or RSA SecurID.

      Attachments

        Issue Links

          Activity

            People

              esa.korhonen Esa Korhonen
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.