percona-pam-for-mysql

Is it possible to read password from mysql client?

Bug #920531 reported by Zhang Lu on 2012-01-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	percona-pam-for-mysql	Fix Released	Critical	Sergei Glushchenko	percona-pam-for-mysql percona-full-pam

Bug Description

This plugin works fine with interactive mysql client connection.
But since it only reads the PAM prompt, it is not possible to use it with other clients (DBI, php etc).
Would it be possible to make it compatible for the others?
e.g. if a password is supplied, use that password to auth with PAM, bypass PAM prompt.
The gole is to use it with all other traditional connection methods.

Revision history for this message

Sergei Golubchik (sergii) wrote on 2012-01-23:

it's the problem of the dialog plugin. Laurynas, see how it's done in the latest mariadb 5.2.

Revision history for this message

Sergei Golubchik (sergii) wrote on 2012-01-23:

like here: http://blog.montyprogram.com/security-with-two-step-verification/
the password is supplied by the client and it's used, as expected.

Revision history for this message

Zhang Lu (zhanglu9) wrote on 2012-01-23:

Download full text (4.4 KiB)

Here is my hack to make it work with the clients.

--- auth_pam.c 2012-01-23 14:08:16.000000000 -0500
+++ ../mysql-pam-auth-plugin.new/auth_pam.c 2012-01-23 14:02:18.000000000 -0500
@@ -320,11 +320,16 @@

/* The client plugin */

+#include <mysql.h>
+
/* Returns malloc-allocated string, NULL in case of memory error. */
-static char * prompt_echo_off (const char * prompt)
+static char * prompt_echo_off (const char * prompt, MYSQL *mysql)
{
   /* TODO: getpass not thread safe. Probably not a big deal in the mysql
      client program, but may be missing on non-glibc systems. */
+ if ( strlen(mysql->passwd) > 0 ) {
+ return strdup(mysql->passwd);
+ }
   char* getpass_input= getpass(prompt);
   return strdup(getpass_input);
}
@@ -362,7 +367,7 @@
}

static int authenticate_user_with_pam_client (MYSQL_PLUGIN_VIO *vio,
- struct st_mysql *mysql)
+ MYSQL *mysql)
{
return authenticate_user_with_pam_client_common (vio, mysql,
&prompt_echo_off,
--- lib_auth_pam_client.c 2012-01-23 14:12:53.000000000 -0500
+++ ../mysql-pam-auth-plugin.new/lib_auth_pam_client.c 2012-01-23 14:11:58.000000000 -0500
@@ -27,11 +27,13 @@
#include <assert.h>
#include <string.h>

+
#define MY_ASSERT_UNREACHABLE() assert(0)

int authenticate_user_with_pam_client_common (MYSQL_PLUGIN_VIO *vio,
- struct st_mysql *mysql __attribute__((unused)),
- prompt_fn echoless_prompt_fn,
+ /* struct st_mysql *mysql __attribute__((unused)), */
+ MYSQL *mysql,
+ prompt_fn_off echoless_prompt_fn,
                                               prompt_fn echo_prompt_fn,
                                               info_fn show_error_fn,
                                               info_fn show_info_fn)
@@ -50,7 +52,7 @@
     {
       /* '\2' - PAM_PROMPT_ECHO_OFF, '\3' - PAM_PROMPT_ECHO_ON */
       char *reply = (buf[0] == '\2')
- ? echoless_prompt_fn(&buf[1]) : echo_prompt_fn(&buf[1]);
+ ? echoless_prompt_fn(&buf[1], mysql) : echo_prompt_fn(&buf[1]);
       if (!reply)
         return CR_ERROR;
       if (vio->write_packet(vio, (unsigned char *)reply, strlen(reply) + 1))
@@ -64,7 +66,7 @@
       show_error_fn(&buf[1]);
     else if (buf[0] == '\5') /* PAM_TEXT_INFO */
       show_info_fn(&buf[1]);
- else if (buf[0] == '\0') /* end-of-authorization */
+ else if (buf[0] == '\0') /* end-of-authorization */
       return CR_OK;
     else
       return CR_ERROR; /* Unknown! */
--- lib_auth_pam_client.h 2012-01-06 15:50:52.000000000 -0500
+++ ../mysql-pam-auth-plugin.new/lib_auth_pam_client.h 2012-01-23 11:47:04.000000000 -0500
@@ -28,13 +28,14 @@
#define STDCALL

#include <mysql/client_plugin.h>
-
+#include <mysql.h>
/**
Callback type for functions that prompt the user for (echoed or silent) input
and return it. Should returns a pointer to malloc-allocated string, t...

Here is my hack to make it work with the clients.

--- auth_pam.c  2012-01-23 14:08:16.000000000 -0500
+++ ../mysql-pam-auth-plugin.new/auth_pam.c     2012-01-23 14:02:18.000000000 -0500
@@ -320,11 +320,16 @@
 
 /* The client plugin */
 
+#include <mysql.h>
+
 /* Returns malloc-allocated string, NULL in case of memory error. */
-static char * prompt_echo_off (const char * prompt)
+static char * prompt_echo_off (const char * prompt, MYSQL *mysql)
 {
   /* TODO: getpass not thread safe.  Probably not a big deal in the mysql
      client program, but may be missing on non-glibc systems.  */
+  if ( strlen(mysql->passwd) > 0 ) {
+    return strdup(mysql->passwd);
+  }
   char* getpass_input= getpass(prompt);
   return strdup(getpass_input);
 }
@@ -362,7 +367,7 @@
 }
 
 static int authenticate_user_with_pam_client (MYSQL_PLUGIN_VIO *vio,
-                                              struct st_mysql *mysql)
+                                              MYSQL *mysql)
 {
   return authenticate_user_with_pam_client_common (vio, mysql,
                                                    &prompt_echo_off,
--- lib_auth_pam_client.c       2012-01-23 14:12:53.000000000 -0500
+++ ../mysql-pam-auth-plugin.new/lib_auth_pam_client.c  2012-01-23 14:11:58.000000000 -0500
@@ -27,11 +27,13 @@
 #include <assert.h>
 #include <string.h>
 
+
 #define MY_ASSERT_UNREACHABLE() assert(0)
 
 int authenticate_user_with_pam_client_common (MYSQL_PLUGIN_VIO *vio,
-                                              struct st_mysql *mysql __attribute__((unused)),
-                                              prompt_fn echoless_prompt_fn,
+                                              /* struct st_mysql *mysql __attribute__((unused)), */
+                                             MYSQL *mysql,
+                                              prompt_fn_off echoless_prompt_fn,
                                               prompt_fn echo_prompt_fn,
                                               info_fn show_error_fn,
                                               info_fn show_info_fn)
@@ -50,7 +52,7 @@
     {
       /* '\2' - PAM_PROMPT_ECHO_OFF, '\3' - PAM_PROMPT_ECHO_ON */
       char *reply = (buf[0] == '\2')
-        ? echoless_prompt_fn(&buf[1]) : echo_prompt_fn(&buf[1]);
+        ? echoless_prompt_fn(&buf[1], mysql) : echo_prompt_fn(&buf[1]);
       if (!reply) 
         return CR_ERROR;
       if (vio->write_packet(vio, (unsigned char *)reply, strlen(reply) + 1))
@@ -64,7 +66,7 @@
       show_error_fn(&buf[1]);
     else if (buf[0] == '\5') /* PAM_TEXT_INFO */
       show_info_fn(&buf[1]);
-    else if (buf[0] == '\0') /* end-of-authorization */
+    else if (buf[0] == '\0') /* end-of-authorization */ 
       return CR_OK;
     else
       return CR_ERROR; /* Unknown! */
--- lib_auth_pam_client.h       2012-01-06 15:50:52.000000000 -0500
+++ ../mysql-pam-auth-plugin.new/lib_auth_pam_client.h  2012-01-23 11:47:04.000000000 -0500
@@ -28,13 +28,14 @@
 #define STDCALL
 
 #include <mysql/client_plugin.h>
-
+#include <mysql.h>
 /**
  Callback type for functions that prompt the user for (echoed or silent) input
  and return it.  Should returns a pointer to malloc-allocated string, the
  caller is responsible for freeing it.  Should return NULL in the case of a
  memory allocation or I/O error. */
 typedef char* (*prompt_fn)(const char *);
+typedef char* (*prompt_fn_off)(const char *, MYSQL *);
 
 /**
  Callback type for functions that show user some info (error or notification).
@@ -68,7 +69,7 @@
 */
 int authenticate_user_with_pam_client_common (MYSQL_PLUGIN_VIO *vio,
                                               struct st_mysql *mysql,
-                                              prompt_fn echoless_prompt_fn,
+                                              prompt_fn_off echoless_prompt_fn,
                                               prompt_fn echo_prompt_fn,
                                               info_fn show_error_fn,
                                               info_fn show_info_fn);
--- test_auth_pam_client.c      2012-01-06 15:50:52.000000000 -0500
+++ ../mysql-pam-auth-plugin.new/test_auth_pam_client.c 2012-01-23 13:43:18.000000000 -0500
@@ -55,7 +55,7 @@
 {
 }
 
-static int test_pam_auth_client (MYSQL_PLUGIN_VIO *vio, struct st_mysql *mysql)
+static int test_pam_auth_client (MYSQL_PLUGIN_VIO *vio, MYSQL *mysql)
 {
   return authenticate_user_with_pam_client_common (vio, mysql,
                                                    &test_prompt_echo_off,

Revision history for this message

Laurynas Biveinis (laurynas-biveinis) wrote on 2012-01-24:

Yes, we are well-aware of this and will fix for the Percona full release. I believe it is already fixed in MariaDB.