[MDEV-10457] simple_password_check is incompatible with pam Created: 2016-07-28  Updated: 2020-08-25  Resolved: 2019-01-14

Status: Closed
Project: MariaDB Server
Component/s: Plugin - pam, Plugins
Affects Version/s: 10.1
Fix Version/s: 10.4.0

Type: Bug Priority: Minor
Reporter: Robin Peiremans Assignee: Sergei Golubchik
Resolution: Fixed Votes: 1
Labels: None

Issue Links:
Duplicate
Relates
relates to MDEV-12321 authentication plugin: SET PASSWORD s... Closed
relates to MDEV-20631 Activated simple password check does ... Closed

 Description   

When the simple_password_check plugin is active and you create a new user that is authenticated through pam, password verification fails. In a way this makes sense, as a pam authenticated user has a zero-length password.

Using the pam plugin doesn't mean all users are pam authenticated (root for example should, imo, never be externally authenticated). For these users it would still make sense to be able to prohibit weak passwords.

I would thus like to request the password check to add support for externally authenticated users so both plugins can be used at the same time.

 Comments   
Comment by Sergei Golubchik [ 2016-07-28 ]

Would it help, if you set strict_password_validation to false? If not, it can be considered a bug.

Comment by Robin Peiremans [ 2016-07-29 ]

Unfortunately that doesn't help:

MariaDB [mysql]> show variables like 'strict_password_validation';
 
+----------------------------+-------+
 
| Variable_name              | Value |
 
+----------------------------+-------+
 
| strict_password_validation | ON    |
 
+----------------------------+-------+
 
1 row in set (0.01 sec)
 
 
 
MariaDB [mysql]> create user myuser@localhost identified via pam using 'mariadb';
 
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
 
MariaDB [mysql]> set global strict_password_validation='OFF';
 
Query OK, 0 rows affected (0.00 sec)
 
 
 
MariaDB [mysql]> show variables like 'strict_password_validation';
 
+----------------------------+-------+
 
| Variable_name              | Value |
 
+----------------------------+-------+
 
| strict_password_validation | OFF   |
 
+----------------------------+-------+
 
1 row in set (0.01 sec)
 
 
 
MariaDB [mysql]> create user myuser@localhost identified via pam using 'mariadb';
 
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

Comment by Sergei Golubchik [ 2016-07-29 ]

Okay, thanks. I think we can extend strict_password_validation variable to also cover the case of non-builtin plugins.

Password validation works like this:

  1. if there is a password — run a validation plugin
  2. if there is no password — fail with an error
  3. if the password cannot be validated (for example, it was specified as a password hash):
    1. if strict_password_validation is OFF — allow it
    2. otherwise fail with an error

when non-builtin plugins are used, mariadb considered it to be a case 2, but it is arguably a case 3, so should be affected by strict_password_validation variable

Comment by Geoff Montee (Inactive) [ 2019-01-14 ]

The PAM authentication plugin doesn't allow MariaDB to change passwords at all, so MariaDB's password validation is irrelevant to it. I think it would require implementing pam_sm_chauthtok in auth_pam to allow it to change passwords.

http://www.linux-pam.org/Linux-PAM-html/mwg-expected-of-module-chauthtok.html

Would it make sense to modify the authentication plugin API to create a way to allow authentication plugins like auth_pam to exempt themselves from password validation?

Is it likely that auth_pam will ever be capable of changing passwords, so MariaDB's password validation would become relevant? I noticed that MDEV-12321 implemented a way for authentication plugins to hook into the PASSWORD() function, but I don't know if that would be useful for that.

Comment by Sergei Golubchik [ 2019-01-14 ]

Yes, you're right. MDEV-12321 was useful. In fact, this bug was fixed in MDEV-12321 — now password validation only works for plugins that support PASSWORD() function. If a plugin does not support PASSWORD(), it means that plugin does not have a concept of a password and whatever is specified after USING is not a password, and should not be validated as one.

Generated at Thu Feb 08 07:42:22 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.