[#MDEV-19879] server can send empty error message to client with pam_use_cleartext

[MDEV-19879] server can send empty error message to client with pam_use_cleartext_plugin Created: 2019-06-27 Updated: 2020-08-25 Resolved: 2019-07-02
Status:	Closed
Project:	MariaDB Server
Component/s:	Plugin - pam
Affects Version/s:	10.2.25, 10.1.40, 10.3.16, 10.4.6
Fix Version/s:	10.4.7

Type:

Bug

Priority:

Major

Reporter:

Geoff Montee (Inactive)

Assignee:

Sergei Golubchik

Resolution:

Fixed

Votes:

Labels:

None

Issue Links:

Relates
relates to	~~MDEV-19880~~	pam v1: pam password authentication d...	Closed
relates to	MDEV-19881	pam plugin from MariaDB 10.3 doesn't ...	Open
relates to	~~MDEV-19876~~	pam v2: auth_pam_tool_dir and auth_pa...	Closed
relates to	MDEV-19877	pam v2: auth_pam_tool input format is...	Open
relates to	~~MDEV-19878~~	pam v2: pam password authentication d...	Closed
relates to	~~MDEV-19882~~	pam v2: auth_pam_tool truncates passw...	Closed
relates to	MDEV-19898	PAM plugin testing	Stalled

Description

If pam_use_cleartext_plugin is configured on the server, and if you have an error in your PAM service configuration, similar to the following:

$ cat /etc/pam.d/mariadb

auth required pam_unix.so audit

auth required pam_unix.so audit

Then the client receives an empty error message if you try to use PAM authentication:

$ mysql -u alice --plugin-dir=/usr/lib64/mysql/plugin

ERROR:

Generated at Thu Feb 08 08:55:04 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.