percona-pam-for-mysql

Sample pam config listed in http://www.percona.com/doc/percona-pam-for-mysql/manual.html#configuring-pam-for-mysql makes authentication prompt twice

Bug #1103395 reported by Jaime Sicam
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
percona-pam-for-mysql
New
Undecided
Unassigned

Bug Description

If I use this config for /etc/pam.d/mysqld

auth required pam_unix.so
account required pam_unix.so
auth required pam_warn.so
auth required pam_unix.so audit
account required pam_unix.so audit

On mysql client:
mysql -u pam1 -ppam1pass
Password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.5.28-29.3 Percona Server (GPL), Release rel29.3, Revision 388

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> quit

On python client:
python dbconnect.py
Password:

On Java:
java SampleJDBC
test
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure

The last packet successfully received from the server was 12,664 milliseconds ago. The last packet sent successfully to the server was 12,664 milliseconds ago.

Removing/commenting the first two lines make PAM plugin authentication behave well:
#auth required pam_unix.so
#account required pam_unix.so

Sample connect scripts:

MySQL console:
mysql -u pam1 -ppam1pass

Python:
import MySQLdb
db = MySQLdb.connect(host="localhost", user="pam1, passwd="pam1pass", db="test")

Java:
import java.sql.*;

public class SampleJDBC {
 public static void main(String[] args) {

System.setProperty("javax.net.ssl.keyStore","/etc/mysql/newcerts/keystore");
System.setProperty("javax.net.ssl.keyStorePassword","sample");
System.setProperty("javax.net.ssl.trustStore","/etc/mysql/newcerts/truststore");
System.setProperty("javax.net.ssl.trustStorePassword","sample");
  System.out.println("test");
  try {
   Class.forName("com.mysql.jdbc.Driver");
   Connection con = DriverManager.getConnection("jdbc:mysql://localhost/mysql?useSSL=true&requireSSL=true&defaultAuthenticationPlugin=com.mysql.jdbc.authentication.MysqlClearPasswordPlugin" ,"pam4", "pam4pass");
   Statement statement = con.createStatement();
   ResultSet rs = statement.executeQuery("SELECT * FROM user");
   for (int i = 1; i<= rs.getMetaData().getColumnCount(); i++){
          System.out.println("Column " +i + " "+ rs.getMetaData().getColumnName(i));
       }
  }
  catch (Exception e) {
   System.out.println(e);
  }
 }
}

Revision history for this message
Raghavendra D Prabhu (raghavendra-prabhu) wrote :

The config is meant to be just

auth required pam_warn.so
auth required pam_unix.so audit
account required pam_unix.so audit

as per the docs, which is why it mentions it as 'you can expand it to be'.

So, yes, using it again in the end will lead to duplication in the PAM stack.

Revision history for this message
Jaime Sicam (jssicam) wrote :

Understood. I would propose to add a PAM comment/header to the example just to make it clear. Example:

#%PAM-1.0
auth required pam_unix.so
account required pam_unix.so

#%PAM-1.0
auth required pam_warn.so
auth required pam_unix.so audit
account required pam_unix.so audit

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.