[MXS-2383] Support PAM authentications involving more than simple password exchanges Created: 2019-03-13  Updated: 2021-04-19  Resolved: 2020-08-07

Status: Closed
Project: MariaDB MaxScale
Component/s: Authenticator
Affects Version/s: 2.2.19, 2.3.4
Fix Version/s: 2.5.2

Type: New Feature Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Esa Korhonen
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MXS-334 Enable Pam.d Support Closed
Epic Link: Security Improvements
Sprint: MXS-SPRINT-111, MXS-SPRINT-112

 Description   

The documentation says the following:

The current version of the MaxScale PAM authentication module only supports a simple password exchange. On the client side, the authentication begins with MaxScale sending an AuthSwitchRequest packet. In addition to the command, the packet contains the client plugin name dialog, a message type byte 4 and the message Password:. In the next packet, the client should send the password, which MaxScale will forward to the PAM API running on the local machine. If the password is correct, an OK packet is sent to the client. No additional PAM-related messaging is allowed, as this would indicate a more complicated authentication scheme.

https://mariadb.com/kb/en/mariadb-maxscale-23-pam-authenticator/#implementation-details-and-limitations

Some users would like MaxScale to support PAM authentications that involve more than a single simple password exchange. For example, some PAM configurations require two inputs to login--a regular user-set password, and a 2FA token from a service like Google Authenticator or RSA SecurID.

 Comments   
Comment by Esa Korhonen [ 2019-04-01 ]

This would likely be difficult to implement. MaxScale needs to use the information given by the client to log into the backends. A password is straightforward, as it can be used as is. Complicated schemes such the ones mentioned would require that MaxScale has access to these extra services and understands them. We would need specifics to implement them.

Comment by Geoff Montee (Inactive) [ 2019-04-01 ]

Hi esa.korhonen,

Complicated schemes such the ones mentioned would require that MaxScale has access to these extra services and understands them. We would need specifics to implement them. We would need specifics to implement them.

Why would MaxScale need to "understand" them or worry about the specifics? MariaDB server doesn't "understand" those more complicated PAM services, and it still supports them. The underlying PAM framework handles the implementation of the PAM service. MaxScale and MariaDB Server just need to be able to ask the user for some kind of password, token, or whatever the user input is in the scenario when PAM asks for it, and MaxScale and MariaDB Server need to be able to handle PAM asking for more than one password, token, or whatever the user input is in the scenario.

Maybe MaxScale needs to implement some form of the dialog callback? This is what MariaDB uses to get user input when PAM authentication is involved:

https://mariadb.com/kb/en/library/development-pluggable-authentication/#dialog-client-plugin

https://mariadb.com/kb/en/library/authentication-plugin-pam/#dialog-plugin-for-clients

Generated at Thu Feb 08 04:13:43 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.