Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2479

Don't throw error for PAM_TEXT_INFO in PAM conversation function

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 2.3.6
    • 2.3.8
    • Authenticator
    • None
    • MXS-SPRINT-82, MXS-SPRINT-83

    Description

      The PAM conversation function currently throws an error if it encounters any messages that are not PAM_PROMPT_ECHO_OFF or PAM_PROMPT_ECHO_ON:

      https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.6/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc#L117

      This means that a user's MaxScale log can fill up with error messages like the following:

      2019-05-05 19:40:42   error  : Unexpected PAM message: type='4', contents='Your password will expire in 1 day(s).'
      

      If msg_style=4, then it is of the type PAM_TEXT_INFO:

      $ grep "PAM_TEXT_INFO" /usr/include/security/_pam_types.h
      #define PAM_TEXT_INFO           4
      

      These appear to be harmless messages:

      PAM_TEXT_INFO
      Display some text.

      http://www.linux-pam.org/Linux-PAM-html/mwg-expected-by-module-item.html#mwg-pam_conv

      That doesn't really seem worthy of an error that causes the connection to fail.

      It seems like it would be better to log PAM_TEXT_INFO messages with MXS_NOTICE or MXS_INFO instead of MXS_ERROR, and then also return PAM_SUCCESS, so it doesn't count as a failure.

      Attachments

        Issue Links

          Activity

            People

              esa.korhonen Esa Korhonen
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.