[MXS-2292] Allow PAM user and group mapping to work with more specific host than '%' Created: 2019-01-25  Updated: 2019-03-13  Resolved: 2019-02-21

Status: Closed
Project: MariaDB MaxScale
Component/s: Authenticator
Affects Version/s: 2.3.3
Fix Version/s: 2.3.5

Type: Bug Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Esa Korhonen
Resolution: Fixed Votes: 1
Labels: None

Issue Links:
Relates
relates to MXS-2293 Monitor fails PAM authentication with... Closed
relates to MXS-2294 Document how to configure user and gr... Closed
relates to MXS-334 Enable Pam.d Support Closed
relates to MXS-1758 Support PAM group mapping, like Maria... Closed
relates to MXS-2269 Document user and group mapping suppo... Closed
Sprint: MXS-SPRINT-75, MXS-SPRINT-76

 Description   

The query in PamInstance::query_anon_proxy_user and PamClientSession::get_pam_user_services specifically checks for the ''@'%' anonymous user:

    const char ANON_USER_QUERY[] = "SELECT authentication_string FROM mysql.user WHERE "
 
                                   "(plugin = 'pam' AND user = '' AND host = '%');";

Is it possible to make user and group mapping work with a more specific host than '%'? Some users do not like to create accounts that can authenticate from literally any host, since it opens up the possibility of things like brute force attacks.

https://github.com/mariadb-corporation/MaxScale/blob/75ea1b6ea1cedb3e11912368acb6ede625d38842/server/modules/authenticator/PAM/PAMAuth/pam_instance.cc#L309

https://github.com/mariadb-corporation/MaxScale/blob/26da72a41f1a603695da07da2b7c6cf8dff5a3cc/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc#L281
Generated at Thu Feb 08 04:13:04 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.