[MDEV-17281] Configure MariaDB to authenticate against RSA server. Created: 2018-09-24  Updated: 2020-04-08

Status: Open
Project: MariaDB Server
Component/s: Plugin - pam
Affects Version/s: 10.3
Fix Version/s: None

Type: Bug Priority: Major
Reporter: chris stephens Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None


 Description   

I am trying to configure a 10.3 MariaDB server on CentOS 6.10 with 2-factor authentication via PAM using RSA server 8.2.1.

We have this working when ssh'ing directly into server but it is not working for MariaDB authentication.

I have installed the 'auth_pam' plugin and created a user "identified via pam using 'mariadb2'".

The mariadb2 pam module currently has the following entries:

#%PAM-1.0
 
auth       required     pam_sepermit.so
 
auth       required     pam_securid.so reserve
 
#auth       include      password-auth
 
account    required     pam_nologin.so
 
account    required     pam_access.so nodefgroup
 
account    include      password-auth
 
password   include      password-auth
 
session    required     pam_selinux.so close
 
session    required     pam_loginuid.so
 
session    required     pam_selinux.so open env_params
 
session    optional     pam_keyinit.so force revoke
 
session    include      password-auth

authentication attempts show only (generically): "018-09-24 14:06:12 59 [Warning] Access denied for user 'user'@'ip' (using password: NO)" in mariadb error log.

I see the correct PAM_SERVICE, PAM_TYPE, and PAM_USER in syslog.

I do not see any information indicating what the actual issue is.

Does MariaDB support 2-factor authentication via this method? If so, is there any documentation on configuration and/or troubleshooting?

 Comments   
Comment by Andrew Hutchings (Inactive) [ 2018-09-24 ]

Moved to MariaDB Server's bug tracking as ColumnStore has no 10.3 release so I suspect that was the original intention.

Comment by chris stephens [ 2018-09-24 ]

Thanks Andrew.

Comment by chris stephens [ 2018-09-26 ]

Initial problems had to do with permissions. Running MariaDB as root results in prompt for initial password. Correct password results in RSA OTP sms message. However, entering OTP results in "ERROR 1160 (00000)".

When I add:

auth optional pam_exec.so /var/lib/mysql/scripts/pam_messages.sh "pre_pam_securid.so"
auth required pam_securid.so
auth optional pam_exec.so /var/lib/mysql/scripts/pam_messages.sh "post_pam_securid.so"

to log a quick message before and after module is called, second message ("post_pam_securid.so") is generated before I even enter OTP.

Comment by chris stephens [ 2018-09-26 ]

pamtester shows pam config file we are using works as expected.

we have this configuration working against another RSA server that prompts for "pin+rsa code" on a single prompt and that works fine. all other config information is the same.

we continue to have problems with RSA server that prompts for password and, if correct, OTP is sent via SMS which is entered at a second prompt.

Comment by Elena Stepanova [ 2018-10-03 ]

serg, do we indeed support 2-factor authentication via PAM?

Comment by Sergei Golubchik [ 2018-10-05 ]

elenst, yes, there's an example here: https://mariadb.org/improve-security-with-two-step-verification/

cs2018, you can enable pam plugin's debug to get a verbose log of everything that it does. you'll need a debug build (because it shows everything, including passwords) of the plugin and --pam-debug command-line (or my.cnf) option.

Comment by chris stephens [ 2018-10-05 ]

We had a call with RSA this morning. They stated on-demand tokens are not supported with their AIM product.

we will explore troubleshooting with a debug build but is there any documentation on what RSA products and authentication methods are specifically supported?

Generated at Thu Feb 08 08:35:17 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.