auth_pam not working

Bug #484069 reported by iwankgb on 2009-11-17
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Drizzle
High
Eric Day
Cherry
High
Eric Day

Bug Description

On Debian 5.0.3 with libpam0g-1.0.1-5+lenny1 PAM authentication does not work. When you try to connect to drizzle server (using valid username and password):

drizzle@devel:~$ ./bin/drizzle -u drizzle -P
Enter password: ********************************
ERROR 1045 (28000): Access denied for user 'drizzle'@'127.0.0.1' (using password: YES)

auth.log:

Nov 17 09:43:06 poszkole101 unix_chkpwd[22444]: password check failed for user (drizzle)
Nov 17 09:43:06 poszkole101 drizzled[22308]: pam_unix(check_user:auth): authentication failure; logname= uid=1006 euid=1006 tty= ruser= rhost= user=drizzle

/etc/pam.d/drizzled:

auth required pam_unix.so
account required pam_unix.so

Related branches

iwankgb (kasztelix) wrote :

And drizzle version: drizzle-2009.11.1208

Lee Bieber (kalebral) on 2009-11-20
Changed in drizzle:
status: New → Confirmed
importance: Undecided → High
milestone: none → bell
assignee: nobody → Stewart Smith (stewart-flamingspork)
Jay Pipes (jaypipes) wrote :

Bug #499973 is related I believe. We should not be using "check_user" as the service name. It should be "drizzled" and be user-configurable. In addition, there may need to be an installation of a service configuration file into /etc/pam.d/

Diego Elio Pettenò (flameeyes) wrote :

I guess drizzled should be fine; common-auth (for Debian; Gentoo uses system-auth) is usually include'd from the service-specific configuration files (having the generic name used directly by the service is a bad idea for how PAM is structured).

In the case of Gentoo, I'd be creating the pam file on ebuild (distribution) level anyway, and it'll simply be including system-auth (the equivalent of common-auth on our side).

Jay Pipes (jaypipes) wrote :

OK, got this fixed in a local branch... gotta check with mtaylor about make install directives for putting a PAM.d config file in /etc/pam.d, but branch has user-configurable service name now, and after creating a simple drizzled configuration file with this in it:

@include common-auth

I was able to authenticate with my local UNIX login properly:

jpipes@serialcoder:~/repos/drizzle/bugs/tests$ ./dtr --start-and-exit --mysqld="--plugin-add=auth_pam"
Logging: ./dtr --start-and-exit --mysqld=--plugin-add=auth_pam
MySQL Version 2009.12.1254
Using MTR_BUILD_THREAD = -69.4
Using MASTER_MYPORT = 9306
Using MASTER_MYPORT1 = 9307
Using SLAVE_MYPORT = 9308
Using SLAVE_MYPORT1 = 9309
Using SLAVE_MYPORT2 = 9310
Using MC_PORT = 9316
Killing Possible Leftover Processes
Removing Stale Files
Creating Directories
=======================================================
DEFAULT STORAGE ENGINE: innodb
TEST RESULT TIME (ms)
-------------------------------------------------------

Servers started, exiting

jpipes@serialcoder:~/repos/drizzle/bugs/tests$ ../client/drizzle --user=jpipes --password --port=9306
Enter password: ************
Welcome to the Drizzle client.. Commands end with ; or \g.
Your Drizzle connection id is 5
Server version: 7 Source distribution (bugs)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

drizzle>

Changed in drizzle:
assignee: Stewart Smith (stewart-flamingspork) → Jay Pipes (jaypipes)
status: Confirmed → In Progress
Jay Pipes (jaypipes) wrote :

OK, so not sure whether we should consider this a packaging bug or not. I might go ahead and open up a separate packaging bug and assign to mtaylor on that. For this one, I've added the ability to set the service name via configuration options, which should at least solve the problem of the hard-coded check_user config...

-jay

Diego Elio Pettenò (flameeyes) wrote :

I would sincerely prefer if we were to decided a single service name for all the distributions; having it configurable, and then have all the distributions to do in a different way, is neither nice to the users (guides don't apply) nor to the developers (debugging).

No problem, and reading through the PAM configuration, it actually
recommends a single name, not exactly the same as the program name.

So...what would you prefer? drizzled-pam? drizzled_auth? something else?

Go ahead and name it :)

-jay

Diego E. Flameeyes Pettenò wrote:
> I would sincerely prefer if we were to decided a single service name for
> all the distributions; having it configurable, and then have all the
> distributions to do in a different way, is neither nice to the users
> (guides don't apply) nor to the developers (debugging).
>

Diego Elio Pettenò (flameeyes) wrote :

> So...what would you prefer? drizzled-pam? drizzled_auth? something
> else?
>
Given the way most of the packages in Gentoo install pam.d files, I'd go
with simply "drizzle" (package name, rather than program name).
>
--
Diego Elio Pettenò — “Flameeyes”
http://blog.flameeyes.eu/

If you found a .asc file in this mail and know not what it is,
it's a GnuPG digital signature: http://www.gnupg.org/

Brian Aker (brianaker) wrote :

Hi!

Just to add a note. If we could find out how SU is working, we can drop in the authorization pieces as well. So if you find a reference...

Cheers,
 -Brian

On Jan 13, 2010, at 12:28 PM, Jay Pipes wrote:

> No problem, and reading through the PAM configuration, it actually
> recommends a single name, not exactly the same as the program name.
>
> So...what would you prefer? drizzled-pam? drizzled_auth? something
> else?
>
> Go ahead and name it :)
>
> -jay
>
> Diego E. Flameeyes Pettenò wrote:
>> I would sincerely prefer if we were to decided a single service name for
>> all the distributions; having it configurable, and then have all the
>> distributions to do in a different way, is neither nice to the users
>> (guides don't apply) nor to the developers (debugging).
>>
>
> --
> auth_pam not working
> https://bugs.launchpad.net/bugs/484069
> You received this bug notification because you are a member of Drizzle-
> developers, which is subscribed to Drizzle.
>
> Status in A Lightweight SQL Database for Cloud and Web: In Progress
>
> Bug description:
> On Debian 5.0.3 with libpam0g-1.0.1-5+lenny1 PAM authentication does not work. When you try to connect to drizzle server (using valid username and password):
>
> drizzle@devel:~$ ./bin/drizzle -u drizzle -P
> Enter password: ********************************
> ERROR 1045 (28000): Access denied for user 'drizzle'@'127.0.0.1' (using password: YES)
>
> auth.log:
>
> Nov 17 09:43:06 poszkole101 unix_chkpwd[22444]: password check failed for user (drizzle)
> Nov 17 09:43:06 poszkole101 drizzled[22308]: pam_unix(check_user:auth): authentication failure; logname= uid=1006 euid=1006 tty= ruser= rhost= user=drizzle
>
> /etc/pam.d/drizzled:
>
> auth required pam_unix.so
> account required pam_unix.so
>
>

Jay Pipes (jaypipes) wrote :

SU?

Brian Aker wrote:
> Hi!
>
> Just to add a note. If we could find out how SU is working, we can drop
> in the authorization pieces as well. So if you find a reference...
>
> Cheers,
> -Brian
>
> On Jan 13, 2010, at 12:28 PM, Jay Pipes wrote:
>
>> No problem, and reading through the PAM configuration, it actually
>> recommends a single name, not exactly the same as the program name.
>>
>> So...what would you prefer? drizzled-pam? drizzled_auth? something
>> else?
>>
>> Go ahead and name it :)
>>
>> -jay
>>
>> Diego E. Flameeyes Pettenò wrote:
>>> I would sincerely prefer if we were to decided a single service name for
>>> all the distributions; having it configurable, and then have all the
>>> distributions to do in a different way, is neither nice to the users
>>> (guides don't apply) nor to the developers (debugging).
>>>
>> --
>> auth_pam not working
>> https://bugs.launchpad.net/bugs/484069
>> You received this bug notification because you are a member of Drizzle-
>> developers, which is subscribed to Drizzle.
>>
>> Status in A Lightweight SQL Database for Cloud and Web: In Progress
>>
>> Bug description:
>> On Debian 5.0.3 with libpam0g-1.0.1-5+lenny1 PAM authentication does not work. When you try to connect to drizzle server (using valid username and password):
>>
>> drizzle@devel:~$ ./bin/drizzle -u drizzle -P
>> Enter password: ********************************
>> ERROR 1045 (28000): Access denied for user 'drizzle'@'127.0.0.1' (using password: YES)
>>
>> auth.log:
>>
>> Nov 17 09:43:06 poszkole101 unix_chkpwd[22444]: password check failed for user (drizzle)
>> Nov 17 09:43:06 poszkole101 drizzled[22308]: pam_unix(check_user:auth): authentication failure; logname= uid=1006 euid=1006 tty= ruser= rhost= user=drizzle
>>
>> /etc/pam.d/drizzled:
>>
>> auth required pam_unix.so
>> account required pam_unix.so
>>
>>
>

Lee Bieber (kalebral) on 2010-01-28
Changed in drizzle:
milestone: bell → cherry

With Build 1317 pam does not appear to be working.

Built:
checking for libpam... yes
checking how to link with libpam... -lpam

Starts without error

$ sbin/drizzled --mysql-protocol-port=3399 --plugin_add=auth_pam

I created a dummy OS user testuser/sakila2010

time bin/drizzle --port=4427 --user=testuser --password=sakila2010
ERROR 1045 (28000): Access denied for user 'testuser'@'127.0.0.1' (using password: YES)

real 0m0.003s
user 0m0.003s
sys 0m0.001s

With /etc/pam.d/check_user

$ cat /etc/pam.d/check_user
auth required pam_unix.so
account required pam_unix.so
[drizzle@dc1 deploy]$ time bin/drizzle --port=4427 --user=testuser --password=sakila2010
ERROR 1045 (28000): Access denied for user 'testuser'@'127.0.0.1' (using password: YES)

real 0m2.055s
user 0m0.002s
sys 0m0.002s

It takes a lot longer to timeout.

Eric Day (eday) wrote :

The authentication plugin system was a big broken, and lp:~eday/drizzle/mysql-protocol-password-hash-support fixes this. Once this branch is merged, PAM will work again.

It was still undecided on what to use as the PAM service name. I would choose 'drizzle', as that seems like the most straightforward. Thoughts?

Jay Pipes (jaypipes) wrote :

"It was still undecided on what to use as the PAM service name. I would choose 'drizzle', as that seems like the most straightforward. Thoughts?"

Do it. drizzle it is.

pam_auth still does not work. I tried the Ubuntu 11 binaries and a compiled rev of recent trunk code (on Ubuntu 10.04). I see in /var/log/auth.log:

Jun 5 14:20:06 dante unix_chkpwd[10691]: password check failed for user (daniel)
Jun 5 14:20:06 dante pamtester: pam_unix(drizzle:auth): authentication failure; logname=daniel uid=1000 euid=1000 tty= ruser= rhost= user=daniel

I know pam itself is working because I can authenticate with pamtester using the drizzle service. Even using,

account required pam_permit.so

in /etc/pam.d/drizzle which should allow everything doesn't work. So it seems the pam_auth code is broken, or I'm not doing something correctly. In either case, at least the Ubuntu 11 binaries should work out of the box.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers