2014-01-31 05:46:49 |
Jervin R |
bug |
|
|
added bug |
2014-01-31 05:47:11 |
Jervin R |
description |
As documentation stands, the PAM configuration /etc/pam.d/mysqld is not sufficient to authenticate properly. An internal failure with pam_unix.so will prevent a successful login even when authentication is a success.
http://www.percona.com/doc/percona-pam-for-mysql/manual.html#configuring-pam-for-mysql
[root@sbxc05 ~]# man pam_succeed
No manual entry for pam_succeed
[root@sbxc05 ~]# cat /etc/redhat-release
CentOS release 5.10 (Final)
[root@sbxc05 ~]# mysql -e 'select @@version, @@version_comment'
+-------------+-----------------------------------------------------+
| @@version | @@version_comment |
+-------------+-----------------------------------------------------+
| 5.5.35-33.0 | Percona Server (GPL), Release rel33.0, Revision 611 |
+-------------+-----------------------------------------------------+
How to repeat: simply follow http://www.mysqlperformanceblog.com/2013/08/14/getting-percona-pam-to-work-with-percona-server-its-client-apps/ using the versions above.
Workaround:
Add pam_permit.so in the PAM configuration:
auth required pam_warn.so
auth sufficient pam_unix.so
account required pam_unix.so
account required pam_permit.so
pam_permit.so seems to simply ignore the internal failure, password verification still works as expected.
[root@sbxc05 ~]# mysql -uap_user -pwrongpass
ERROR 1045 (28000): Access denied for user 'ap_user'@'localhost' (using password: YES)
[root@sbxc05 ~]# mysql -uap_user -pp3rc0na
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 31
Server version: 5.5.35-33.0 Percona Server (GPL), Release rel33.0, Revision 611
Copyright (c) 2009-2013 Percona LLC and/or its affiliates
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
On the other hand, as the man page of pam_permit.so using this module is dangerous, hence I am filing this bug to potentially document the workaround and fix the internal failure. |
As documentation stands, the PAM configuration /etc/pam.d/mysqld is not sufficient to authenticate properly. An internal failure with pam_unix.so will prevent a successful login even when authentication is a success.
http://www.percona.com/doc/percona-pam-for-mysql/manual.html#configuring-pam-for-mysql
[root@sbxc05 ~]# man pam_succeed
No manual entry for pam_succeed
[root@sbxc05 ~]# cat /etc/redhat-release
CentOS release 5.10 (Final)
[root@sbxc05 ~]# mysql -e 'select @@version, @@version_comment'
+-------------+-----------------------------------------------------+
| @@version | @@version_comment |
+-------------+-----------------------------------------------------+
| 5.5.35-33.0 | Percona Server (GPL), Release rel33.0, Revision 611 |
+-------------+-----------------------------------------------------+
How to repeat: simply follow http://www.mysqlperformanceblog.com/2013/08/14/getting-percona-pam-to-work-with-percona-server-its-client-apps/ using the versions above.
Workaround:
Add pam_permit.so in the PAM configuration:
auth required pam_warn.so
auth required pam_unix.so
account required pam_unix.so
account required pam_permit.so
pam_permit.so seems to simply ignore the internal failure, password verification still works as expected.
[root@sbxc05 ~]# mysql -uap_user -pwrongpass
ERROR 1045 (28000): Access denied for user 'ap_user'@'localhost' (using password: YES)
[root@sbxc05 ~]# mysql -uap_user -pp3rc0na
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 31
Server version: 5.5.35-33.0 Percona Server (GPL), Release rel33.0, Revision 611
Copyright (c) 2009-2013 Percona LLC and/or its affiliates
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
On the other hand, as the man page of pam_permit.so using this module is dangerous, hence I am filing this bug to potentially document the workaround and fix the internal failure. |
|
2014-01-31 05:49:20 |
Jervin R |
attachment added |
|
pam-bad-auth-centos5-trace.log https://bugs.launchpad.net/percona-server/+bug/1274821/+attachment/3963848/+files/pam-bad-auth-centos5-trace.log |
|
2014-01-31 05:49:54 |
Jervin R |
attachment added |
|
pam-good-auth-centos6-trace.log https://bugs.launchpad.net/percona-server/+bug/1274821/+attachment/3963849/+files/pam-good-auth-centos6-trace.log |
|
2014-01-31 06:15:46 |
Laurynas Biveinis |
bug task added |
|
percona-pam-for-mysql |
|
2014-01-31 08:31:22 |
tsubasa tanaka |
bug |
|
|
added subscriber tsubasa tanaka |
2014-04-15 07:50:49 |
Nilnandan Joshi |
percona-pam-for-mysql: status |
New |
Confirmed |
|
2014-04-15 09:47:22 |
Valerii Kravchuk |
nominated for series |
|
percona-server/5.1 |
|
2014-04-15 09:47:22 |
Valerii Kravchuk |
bug task added |
|
percona-server/5.1 |
|
2014-04-15 09:47:22 |
Valerii Kravchuk |
nominated for series |
|
percona-server/5.5 |
|
2014-04-15 09:47:22 |
Valerii Kravchuk |
bug task added |
|
percona-server/5.5 |
|
2014-04-15 09:47:22 |
Valerii Kravchuk |
nominated for series |
|
percona-server/5.6 |
|
2014-04-15 09:47:22 |
Valerii Kravchuk |
bug task added |
|
percona-server/5.6 |
|
2014-04-15 09:51:30 |
Nilnandan Joshi |
percona-server/5.5: status |
New |
Confirmed |
|
2014-04-15 09:55:25 |
Nilnandan Joshi |
percona-server/5.1: status |
New |
Invalid |
|
2014-04-15 09:58:39 |
Nilnandan Joshi |
percona-server/5.6: status |
New |
Confirmed |
|
2014-04-15 14:03:29 |
Laurynas Biveinis |
percona-server/5.5: status |
Confirmed |
Incomplete |
|
2014-04-15 14:03:34 |
Laurynas Biveinis |
percona-pam-for-mysql: status |
Confirmed |
Incomplete |
|
2014-04-15 14:03:37 |
Laurynas Biveinis |
percona-server/5.6: status |
Confirmed |
Incomplete |
|
2014-04-17 09:12:21 |
Laurynas Biveinis |
percona-server/5.5: status |
Incomplete |
New |
|
2014-04-17 09:12:25 |
Laurynas Biveinis |
percona-server/5.6: status |
Incomplete |
New |
|
2014-04-17 09:12:27 |
Laurynas Biveinis |
percona-pam-for-mysql: status |
Incomplete |
New |
|
2014-04-17 09:29:38 |
Valerii Kravchuk |
percona-server/5.5: status |
New |
Confirmed |
|
2014-04-17 09:29:51 |
Valerii Kravchuk |
percona-pam-for-mysql: status |
New |
Confirmed |
|
2014-04-17 09:29:58 |
Valerii Kravchuk |
percona-server/5.6: status |
New |
Invalid |
|
2014-04-17 09:31:05 |
Valerii Kravchuk |
percona-server/5.6: status |
Invalid |
Confirmed |
|
2014-04-17 12:54:37 |
Sergei Glushchenko |
percona-pam-for-mysql: status |
Confirmed |
Incomplete |
|
2014-04-17 12:54:39 |
Sergei Glushchenko |
percona-server/5.6: status |
Confirmed |
Incomplete |
|
2014-04-17 12:54:42 |
Sergei Glushchenko |
percona-server/5.5: status |
Confirmed |
Incomplete |
|
2014-06-17 04:17:37 |
Launchpad Janitor |
percona-server/5.5: status |
Incomplete |
Expired |
|
2014-06-17 04:17:41 |
Launchpad Janitor |
percona-server/5.6: status |
Incomplete |
Expired |
|
2014-06-18 07:38:28 |
Nilnandan Joshi |
attachment added |
|
mysqld.strace.pam https://bugs.launchpad.net/percona-server/+bug/1274821/+attachment/4133914/+files/mysqld.strace.pam |
|
2014-06-18 07:38:37 |
Nilnandan Joshi |
percona-server/5.5: status |
Expired |
Confirmed |
|
2014-06-18 07:38:43 |
Nilnandan Joshi |
percona-server/5.6: status |
Expired |
Confirmed |
|
2014-06-18 07:38:51 |
Nilnandan Joshi |
bug |
|
|
added subscriber Nilnandan Joshi |
2014-06-18 07:39:00 |
Nilnandan Joshi |
percona-pam-for-mysql: status |
Incomplete |
Confirmed |
|
2014-06-22 08:17:14 |
Laurynas Biveinis |
percona-server/5.5: assignee |
|
Sergei Glushchenko (sergei.glushchenko) |
|
2014-06-22 08:17:24 |
Laurynas Biveinis |
percona-server/5.6: assignee |
|
Sergei Glushchenko (sergei.glushchenko) |
|
2014-06-22 08:17:30 |
Laurynas Biveinis |
percona-pam-for-mysql: assignee |
|
Sergei Glushchenko (sergei.glushchenko) |
|
2014-06-22 08:17:33 |
Laurynas Biveinis |
percona-server/5.5: importance |
Undecided |
Medium |
|
2014-06-22 08:17:35 |
Laurynas Biveinis |
percona-server/5.6: importance |
Undecided |
Medium |
|
2014-06-22 08:17:38 |
Laurynas Biveinis |
percona-pam-for-mysql: importance |
Undecided |
Medium |
|
2014-06-22 08:17:40 |
Laurynas Biveinis |
percona-server/5.5: status |
Confirmed |
Triaged |
|
2014-06-22 08:17:42 |
Laurynas Biveinis |
percona-pam-for-mysql: status |
Confirmed |
Triaged |
|
2014-06-22 08:17:44 |
Laurynas Biveinis |
percona-server/5.6: status |
Confirmed |
Triaged |
|
2014-06-29 08:43:57 |
Laurynas Biveinis |
tags |
|
doc |
|
2014-06-29 08:44:05 |
Laurynas Biveinis |
percona-server/5.5: assignee |
Sergei Glushchenko (sergei.glushchenko) |
Hrvoje Matijakovic (hrvojem) |
|
2014-06-29 08:44:10 |
Laurynas Biveinis |
percona-server/5.6: assignee |
Sergei Glushchenko (sergei.glushchenko) |
Hrvoje Matijakovic (hrvojem) |
|
2014-06-29 08:44:15 |
Laurynas Biveinis |
percona-pam-for-mysql: assignee |
Sergei Glushchenko (sergei.glushchenko) |
Hrvoje Matijakovic (hrvojem) |
|
2015-12-04 09:16:09 |
Laurynas Biveinis |
tags |
doc |
doc pam |
|
2016-03-24 15:25:47 |
Laurynas Biveinis |
nominated for series |
|
percona-server/5.7 |
|
2016-03-24 15:25:47 |
Laurynas Biveinis |
bug task added |
|
percona-server/5.7 |
|
2016-03-24 15:25:55 |
Laurynas Biveinis |
percona-server/5.7: status |
Triaged |
Invalid |
|
2016-03-24 15:25:58 |
Laurynas Biveinis |
percona-server/5.7: importance |
Medium |
Undecided |
|
2016-03-24 15:26:01 |
Laurynas Biveinis |
percona-server/5.7: assignee |
Hrvoje Matijakovic (hrvojem) |
|
|
2017-08-01 06:48:28 |
Hrvoje Matijakovic |
percona-server/5.5: status |
Triaged |
Won't Fix |
|
2017-08-01 06:48:31 |
Hrvoje Matijakovic |
percona-server/5.6: status |
Triaged |
Won't Fix |
|
2017-08-01 06:48:35 |
Hrvoje Matijakovic |
percona-pam-for-mysql: status |
Triaged |
Won't Fix |
|