[#MXS-2918] PAM authentication matches host name in IPv6-ish format

[MXS-2918] PAM authentication matches host name in IPv6-ish format Created: 2020-03-11 Updated: 2020-07-21 Resolved: 2020-07-21
Status:	Closed
Project:	MariaDB MaxScale
Component/s:	PAM-Authenticator
Affects Version/s:	2.3.1, 2.4.1
Fix Version/s:	2.5.0

Type:

Bug

Priority:

Minor

Reporter:

Assen Totin (Inactive)

Assignee:

Esa Korhonen

Resolution:

Fixed

Votes:

Labels:

None

Sprint:

MXS-SPRINT-111

Description

This seems to be more a side effect from how the network stack is used by MaxScale than a defect, but since it is undocumented, likely deserves some attention.

When using PAM with MaxScale, the latter looks up a MariaDB user with empty username, then compares the host, from which the client is connecting, to the host in MariaDB user's record.

When only IPv4 is involved, if the MariaDB user is created as
''@'192.168.%'
then MariaDB server will let the user log on via PAM, but MaxScale will not - because MaxScale looks up the IP address in an IPv6-is form, so the MariaDB user must be created as
''@'::ffff:192.168.%'
in which case the host is matches properly and PAM authentication succeeds.

While MaxScale prints an error message with this IPv6-ish format of the host when authentication fails, it may still be worth either putting this into the documentation or, even better, fixing MaxScale somehow to only use the true 32-bit IP address when IPv4 is involved.

Comments

Comment by Esa Korhonen [ 2020-07-21 ]

Fixed in 2.5 due to authentication rewrite.

Generated at Thu Feb 08 04:17:38 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MXS-2918] PAM authentication matches host name in IPv6-ish format Created: 2020-03-11 Updated: 2020-07-21 Resolved: 2020-07-21