PAM Plugin Fails on CentOS 5
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Percona Server moved to https://jira.percona.com/projects/PS | Status tracked in 5.7 | |||||
5.1 |
Invalid
|
Undecided
|
Unassigned | |||
5.5 |
Won't Fix
|
Medium
|
Hrvoje Matijakovic | |||
5.6 |
Won't Fix
|
Medium
|
Hrvoje Matijakovic | |||
5.7 |
Invalid
|
Undecided
|
Unassigned | |||
percona-pam-for-mysql |
Won't Fix
|
Medium
|
Hrvoje Matijakovic |
Bug Description
As documentation stands, the PAM configuration /etc/pam.d/mysqld is not sufficient to authenticate properly. An internal failure with pam_unix.so will prevent a successful login even when authentication is a success.
http://
[root@sbxc05 ~]# man pam_succeed
No manual entry for pam_succeed
[root@sbxc05 ~]# cat /etc/redhat-release
CentOS release 5.10 (Final)
[root@sbxc05 ~]# mysql -e 'select @@version, @@version_comment'
+------
| @@version | @@version_comment |
+------
| 5.5.35-33.0 | Percona Server (GPL), Release rel33.0, Revision 611 |
+------
How to repeat: simply follow http://
Workaround:
Add pam_permit.so in the PAM configuration:
auth required pam_warn.so
auth required pam_unix.so
account required pam_unix.so
account required pam_permit.so
pam_permit.so seems to simply ignore the internal failure, password verification still works as expected.
[root@sbxc05 ~]# mysql -uap_user -pwrongpass
ERROR 1045 (28000): Access denied for user 'ap_user'
[root@sbxc05 ~]# mysql -uap_user -pp3rc0na
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 31
Server version: 5.5.35-33.0 Percona Server (GPL), Release rel33.0, Revision 611
Copyright (c) 2009-2013 Percona LLC and/or its affiliates
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
On the other hand, as the man page of pam_permit.so using this module is dangerous, hence I am filing this bug to potentially document the workaround and fix the internal failure.
tags: | added: pam |
Changed in percona-pam-for-mysql: | |
status: | Triaged → Won't Fix |
An strace output of bad PAM authentication in CentOS 5, more specifically it fails on:
readlink( "/proc/ self/exe" , 0x2af628896e70, 4096) = -1 EACCES (Permission denied)