pam_mysql-0.5 is set up and working fine, except when three incorrect password attempts are made on accounts locked with a password that doesn't correspond to a 3DES or MD5 hash... % ssh user@host Password: Password: Password: Connection closed by 192.168.0.1 after the third, we get a segfault: [...] May 3 10:06:51 [sshd] pam_mysql: select returned an invalid encrypted password May 3 10:06:51 [sshd] fatal: PAM: authentication thread exited unexpectedly [...] [pid 27669] rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0 [pid 27669] --- SIGSEGV (Segmentation fault) @ 0 (0) --- Process 27669 detached I recompiled pam_mysql by hand, and the problem went away. I determined that the problem occurs because the ebuild removes the #define DEBUG line in pam_mysql.c -- without that line, we get the segfault. With the line there, however, we get lots of noise in syslog... Reproducible: Always Steps to Reproduce: 1. emerge pam_mysql 2. set up pam_mysql 3. define a user in the database with '!' in the encrypted password field 4. ssh user@host 5. try to enter a password (3x) Actual Results: segfault fatal: PAM: authentication thread exited unexpectedly Expected Results: ssh should have given up on PAM authentication and tried three more times from the local /etc/{passwd,shadow} files: % ssh user@host Password: Password: Password: user@host's password: Permission denied, please try again. user@host's password: Permission denied, please try again. user@host's password: Permission denied (publickey,password,keyboard-interactive). I'm working on determining the exact cause and providing a patch.
The problem appears to be on line 551 of pam_mysql.c The code detects that the password hash stored in the db is too small to be a 3DES or MD5 hash, and just leaves the switch block with a break, without setting up some important vairables needed later on for building a hash for the user-supplied password and comparing with the database's hash. I'm not entirely sure why this only was a problem with #undef DEBUG Instead of breaking out of the switch, this should return retvalue, which is still set to the db_checkpass function's default of PAM_AUTH_ERR.
Created attachment 30618 [details, diff] patch for pam_mysql-0.5's pam_mysql.c - avoids segfault avoids segfault from attempting to authenticate vs. invalid encrypted password stored in database (i.e. '!') which are commonly used to lock accounts. this patch will also be submitted to pam-mysql.sourceforge.net i'll try to work this into a new pam_mysql-0.5-r1 ebuild and attach that here, too.
Created attachment 30626 [details] my portage overlay for fixing this problem Here's a proposed pam_mysql-0.5-r1.ebuild tarball (based in /usr/local/portage) that includes the pateh above.
Created attachment 30631 [details] portage overlay, including "no match, no complain" patch fixes the same problem, and additionally silences erronious syslog message stating... May 3 14:25:52 [sshd] pam_mysql: select returned more than one result ...when there really were no matches, which isn't as important as multiple matches.
Created attachment 30643 [details] portage overlay, with previous patches, adds patch to specify mysql port number one last patch! (at least for today!) this patch allows us to change the port number pam_mysql will try to connect to the mysql server on. in the pam config file, just add port=##### into the pam_mysql.so parameter list.
any activity or comments regarding these patches?
Created attachment 58730 [details] portage overlay, with previous patches, properly inherits etools, etc. the patches were not being applied with the previous overlay. added... inherit eutils toolchain-funcs ...to the ebuild
Bumped to 0.6.0 which seems to fix all these issues. If there is a new problem, please open a new bug.
