It seems to be a known limitation that MaxScale does not yet support mysql_clear_password for PAMAuth and PAMBackendAuth. The code contains this TODO to add support for it:

/* PAM client helper plugin name, TODO: add support for "mysql_clear_password" */

const std::string DIALOG = "dialog";

https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.6/server/modules/authenticator/PAM/pam_auth_common.cc#L19

The following PAMBackendAuth code seems to explicitly check that the backend server asked MaxScale to use the "dialog" plugin:

https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.6/server/modules/authenticator/PAM/PAMBackendAuth/pam_backend_session.cc#L67

But I don't think this particular code can even be reached, because if the backend server does not ask MaxScale to use the "dialog" plugin, then it will fail before that here:

https://github.com/mariadb-corporation/MaxScale/blob/maxscale-2.3.6/server/modules/authenticator/PAM/PAMBackendAuth/pam_backend_session.cc#L58

And throw this error message:

2019-05-10 14:41:24   error  : (12901) [PAMBackendAuth] Length of server AuthSwitchRequest packet was '37', expected '23'. Only simple password-based PAM authentication with one call to the conversation function is supported.

Regardless, I think MaxScale should also support the mysql_clear_password plugin for PAMAuth and PAMBackendAuth. If it does not, then it cannot be used with servers that have pam_use_cleartext_plugin set, which is sometimes needed for compatibility.

https://mariadb.com/kb/en/library/authentication-plugin-pam/#pam_use_cleartext_plugin

https://mariadb.com/kb/en/library/authentication-plugin-pam/#mysql_clear_password