Created attachment 1607565 [details] Verbose log output of pam_mysql Description of problem: Any password encryption method besides 0 (i.e. "plain") results in an authentication failure. Version-Release number of selected component (if applicable): pam_mysql-0.8.1-0.4.fc30.x86_64 How reproducible: Always Steps to Reproduce: 1. Create database, e.g. CREATE database vpn_db; CREATE TABLE tbl_user ( username varchar(128), password varchar(128) NOT NULL, PRIMARY KEY (username) ); INSERT INTO vpn_db.tbl_user (username, password) VALUES ('test', sha2('test', 512)); 2. Create /etc/pam.d/mysql with the following content auth optional pam_mysql.so config_file=/etc/pam_mysql.conf verbose=1 account required pam_mysql.so config_file=/etc/pam_mysql.conf verbose=1 3. Create /etc/pam_mysql.conf (change username/password/host/port accordingly) users.host = 127.0.0.1:3306 users.database = vpn_db users.db_user = root users.db_passwd = my-secret-pw users.table = tbl_user users.user_column = tbl_user.username users.password_column = tbl_user.password users.password_crypt = 8 Note: These match the default of the official mysql and maraidb containers, so one can quickly test this by running docker run --name some-mariadb --network=host -e MYSQL_ROOT_PASSWORD=my-secret-pw -d mariadb 4. Run pamtester: echo "test" | pamtester -v mysql test authenticate Actual results: pamtester: invoking pam_start(mysql, test, ...) pamtester: performing operation - authenticate Password:pamtester: Permission denied Expected results: pamtester: invoking pam_start(mysql, test, ...) pamtester: performing operation - authenticate Password:pamtester: successfully authenticated Additional info: The result is the same for any password encryption method (tested md5, sha1, sha256, sha512). Authentications works as expected with plain text passwords though. Updating to the latest commit (4f76d51671d3fcca495122e2404c746685563422) fixes this issue. A mock build for testing this is available here https://copr.fedorainfracloud.org/coprs/spike/pam-MySQL/
Pull request here: https://src.fedoraproject.org/rpms/pam_mysql/pull-request/1
The pamtester is complete rubbish.. [root@eve pam.d]# echo "nein" | pamtester -v su paula authenticate pamtester: invoking pam_start(su, paula, ...) pamtester: performing operation - authenticate pamtester: successfully authenticated [root@eve pam.d]# echo "23234nein" | pamtester -v su paula authenticate pamtester: invoking pam_start(su, paula, ...) pamtester: performing operation - authenticate pamtester: successfully authenticated ... disabling pam_mysql entirely in su pamfile ... [root@eve pam.d]# echo "23234nein" | pamtester -v su paula authenticate pamtester: invoking pam_start(su, paula, ...) pamtester: performing operation - authenticate pamtester: successfully authenticated and guess what.. the password is neither "nein" nor "23234nein" . I have no clue what pamtester tests, but it's pure fantasy.
btw: updating to the fc32 build of pam_mysql did not change anything.
BTW: if pam.d/password-auth is changed to use pam_mysql, you get this: Feb 28 00:27:01 eve sshd[13851]: pam_mysql - pam_sm_authenticate() called. Feb 28 00:27:01 eve sshd[13851]: pam_mysql - pam_mysql_open_db() called. Feb 28 00:27:01 eve sshd[13851]: pam_mysql - MySQL error (Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)) Feb 28 00:27:01 eve sshd[13851]: pam_mysql - pam_mysql_open_db() returning 5. Feb 28 00:27:01 eve sshd[13851]: pam_mysql - pam_sm_authenticate() returning 9. Feb 28 00:27:01 eve sshd[13851]: libnss-mysql: Connection to server 'localhost' failed: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) Feb 28 00:27:03 eve sshd[13851]: Failed password for invalid user paula from 127.0.0.1 port 60770 ssh2 Feb 28 00:27:32 eve sshd[13851]: Connection closed by invalid user paula 127.0.0.1 port 60770 [preauth] Feb 28 00:27:32 eve sshd[13851]: pam_mysql - pam_mysql_release_ctx() called. Feb 28 00:27:32 eve sshd[13851]: pam_mysql - pam_mysql_destroy_ctx() called. Feb 28 00:27:32 eve sshd[13851]: pam_mysql - pam_mysql_close_db() called. of course dbserver is running, because funny enough: pamtester (as user x, not root ) can access it .. Feb 28 00:25:25 eve pamtester[13796]: pam_mysql - pam_mysql_sql_log() called. Feb 28 00:25:25 eve pamtester[13796]: pam_mysql - pam_mysql_format_string() called Feb 28 00:25:25 eve pamtester[13796]: pam_mysql - pam_mysql_quick_escape() called. Feb 28 00:25:25 eve pamtester[13796]: pam_mysql - pam_mysql_quick_escape() called. Feb 28 00:25:25 eve pamtester[13796]: pam_mysql - pam_mysql_quick_escape() called. Feb 28 00:25:25 eve pamtester[13796]: pam_mysql - pam_mysql_quick_escape() called. Feb 28 00:25:25 eve pamtester[13796]: pam_mysql - INSERT INTO log (message, user, host, rhost, pid, time) VALUES ('AUTHENTICATION SUCCESS (FIRST_PASS)', 'paula', '127.0.0.1', '(unknown)', '13796', NOW()) Feb 28 00:25:25 eve pamtester[13796]: pam_mysql - pam_mysql_sql_log() returning 0. Feb 28 00:25:25 eve pamtester[13796]: pam_mysql - pam_sm_authenticate() returning 0. Feb 28 00:25:27 eve pamtester[13796]: pam_mysql - pam_mysql_release_ctx() called. Feb 28 00:25:27 eve pamtester[13796]: pam_mysql - pam_mysql_destroy_ctx() called. Feb 28 00:25:27 eve pamtester[13796]: pam_mysql - pam_mysql_close_db() called. so i revise my statement from rubbish to "it helps a tiny bit" :)
::::ARGS:::: FYI: SELinux disrupts access to mysql.sock for pam_mysql and nss.. Seperate BR filed.
This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Spike? Can you change it to f31?
Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Hi Paul, This bug still exists on Fedora 32. I've updated the version accordingly. Since it's quite a simple fix and there's already a pull request, could you go ahead and merge that? If you think the patch needs some more work please let me know. Happy to make changes and resubmit. Cheers!
Bug is still present on Fedora 33. I've updated the version accordingly. The PR (https://src.fedoraproject.org/rpms/pam_mysql/pull-request/1) was also updated to reflect the latest upstream changes. Latest upstream commit is now 03a98ea508d9c7ee1ff71e735d76d9d99bd25c97
This is still an issue on Fedora 34. The current build is https://koji.fedoraproject.org/koji/buildinfo?buildID=1684633 which is still b8ea8eb93235bbcc4127ab6491a8eb9b60ab550a (see https://koji.fedoraproject.org/koji/rpminfo?rpmID=24878876). Could somebody please trigger a new build and ideally submit an update through bodhi?
FEDORA-2021-87f7b6b10e has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-87f7b6b10e
FEDORA-2021-f118399480 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-f118399480
FEDORA-2021-87f7b6b10e has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-87f7b6b10e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-87f7b6b10e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-f118399480 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-f118399480` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-f118399480 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-8f605d9ac3 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-8f605d9ac3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-8f605d9ac3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Hi Paul, Since 'stable by time' was explicitly disabled for these updates, could you please go ahead and push them to stable? Cheers!
FEDORA-2021-8f605d9ac3 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-87f7b6b10e has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-f118399480 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.