Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crypt seems to fail #41

Open
alexhass opened this issue Jul 28, 2017 · 7 comments
Open

Crypt seems to fail #41

alexhass opened this issue Jul 28, 2017 · 7 comments

Comments

@alexhass
Copy link

Is there any known bug in Debian 9? My password is 100% correct and works well from all other applications connected to this mysql instance. Roundcube, dovecot, z-push, nextcloud... but not with postfix and smtp auth.

libpam-mysql/stable,now 0.8.0-1 amd64 [installed]
PAM module interfacing with MySQL databases

Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - option debug is set to "1"
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_close_db() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_sm_authenticate() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_open_db() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_open_db() returning 0.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_check_passwd() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_format_string() called
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_quick_escape() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - SELECT password FROM users WHERE username = 'foo@example.com'
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_check_passwd() returning 6.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_sql_log() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_sql_log() returning 0.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_converse() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_open_db() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_check_passwd() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_format_string() called
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_quick_escape() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - SELECT password FROM users WHERE username = 'foo@example.com'
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_check_passwd() returning 6.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_sql_log() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_sql_log() returning 0.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_sm_authenticate() returning 7.
Jul 28 21:53:22 myhost saslauthd[27369]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_release_ctx() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_destroy_ctx() called.
Jul 28 21:53:22 myhost saslauthd[27369]: pam_mysql - pam_mysql_close_db() called.
Jul 28 21:53:22 myhost saslauthd[27369]:                 : auth failure: [user=foo@example.com] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

I cannot find documentation what pam_mysql_check_passwd() returning 6 or pam_sm_authenticate() returning 7 means. Debugging is on, but the passwords are not shown. So it is impossible to figure out what the root cause is.

pam_mysql is configured to use crypt=1. In Debian 7 it worked all well, but this was pam_mysql 0.7~RC1.
@NigelCunningham
Copy link
Owner

Thanks for the report. pam_mysql_check_passwd() returning 6 is PAM_MYSQL_ERR_MISMATCH. Could the wrong crypt type be being used?

@alexhass
Copy link
Author

alexhass commented Feb 15, 2018
edited
Loading

No. Not my bug. It worked on an older Debian server. Nothing has changed in the scripts.

@mekahell
Copy link

mekahell commented Oct 8, 2018

Hi everyone :)

I've got the same issue on Debian 9 (Stretch) and 8 (Jessie).

After recompiling the module with more logs I've found something strange into the function pam_sm_authenticate (line 3729).

retval = pam_get_item(pamh, PAM_AUTHTOK, (PAM_GET_ITEM_CONST void **)&passwd); puts a null value into passwd when use_first_pass or try_first_pass options are enabled.

It seems that something has changed on libpam but I'm not able to found what exactly.
Sorry I'm not fluent in C :(

@maltris
Copy link

maltris commented May 16, 2020
edited
Loading

Apparently I am having the same issue on CentOS 8 (but for example not on Alpine 3.11).

pam_mysql - pam_mysql_check_passwd() returning 6.
pam_mysql - pam_sm_authenticate() returning 7.

Made twice and triple sure, that the hashes match. (Using crypt=1 and $6 crypt() hashes.)

I then tried crypt=0 and plaintext password in the db, just to be sure:

pam_mysql - SELECT password FROM users WHERE username = 'user2'
pam_mysql - pam_mysql_check_passwd() returning 6.
pam_mysql - pam_mysql_sql_log() called.
pam_mysql - pam_mysql_sql_log() returning 0.
pam_mysql - pam_sm_authenticate() returning 7.

No success.

pam packages:

pam.x86_64                         1.3.1-4.el8                             @System   
pam-devel.x86_64                   1.3.1-4.el8                             @BaseOS

Edit:

Quickly tried the same on a clean CentOS 7 container, same problem:

May 16 09:45:02 235d7fc3f033 sshd[82]: pam_mysql - pam_mysql_check_passwd() returning 6.
May 16 09:45:02 235d7fc3f033 sshd[82]: pam_mysql - pam_mysql_sql_log() called.
May 16 09:45:02 235d7fc3f033 sshd[82]: pam_mysql - pam_mysql_sql_log() returning 0.
May 16 09:45:02 235d7fc3f033 sshd[82]: pam_mysql - pam_sm_authenticate() returning 7.

[root@235d7fc3f033 /]# yum list installed | grep pam
pam.x86_64                               1.1.8-23.el7                   @CentOS 
pam-devel.x86_64                         1.1.8-23.el7                   @base

pam-MySQL is the latest version from this repository. Compilation and building the container image with docker is done like this:

FROM centos:7

RUN yum -y install openssh make nss-devel mariadb-devel automake \
                   libtool which diffutils file git openssh-server pam-devel \
    && git clone https://github.com/NigelCunningham/pam-MySQL.git \
    && cd pam-MySQL \
    && autoreconf -i \
    && ./configure \
    && make \
    && strip .libs/pam_mysql.so \
    && make install \
    && cd .. \
    && rm -rf pam-MySQL

EXPOSE 22

CMD ["sshd"]

@maltris maltris mentioned this issue May 16, 2020
Open
@NigelCunningham
Copy link
Owner

We now have pre-releases of a new version using Meson and including some unit tests. Would you please retry with this version?

@m3t4tr0n
Copy link

I have encountered this problem .. for me it turns out there was a single space after a line in the pam-mysql.conf config file.

@NigelCunningham
Copy link
Owner

Hmm. Coud you provide an example, @m3t4tr0n?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@NigelCunningham @mekahell @alexhass @m3t4tr0n @maltris