Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2479

Don't throw error for PAM_TEXT_INFO in PAM conversation function

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.3.6
    • Fix Version/s: 2.3.8
    • Component/s: Authenticator
    • Labels:
      None
    • Sprint:
      MXS-SPRINT-82, MXS-SPRINT-83

      Description

      The PAM conversation function currently throws an error if it encounters any messages that are not PAM_PROMPT_ECHO_OFF or PAM_PROMPT_ECHO_ON:

      https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.6/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc#L117

      This means that a user's MaxScale log can fill up with error messages like the following:

      2019-05-05 19:40:42   error  : Unexpected PAM message: type='4', contents='Your password will expire in 1 day(s).'
      

      If msg_style=4, then it is of the type PAM_TEXT_INFO:

      $ grep "PAM_TEXT_INFO" /usr/include/security/_pam_types.h
      #define PAM_TEXT_INFO           4
      

      These appear to be harmless messages:

      PAM_TEXT_INFO
      Display some text.

      http://www.linux-pam.org/Linux-PAM-html/mwg-expected-by-module-item.html#mwg-pam_conv

      That doesn't really seem worthy of an error that causes the connection to fail.

      It seems like it would be better to log PAM_TEXT_INFO messages with MXS_NOTICE or MXS_INFO instead of MXS_ERROR, and then also return PAM_SUCCESS, so it doesn't count as a failure.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                esa.korhonen Esa Korhonen
                Reporter:
                GeoffMontee Geoff Montee
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: