pam-MySQL icon indicating copy to clipboard operation
pam-MySQL copied to clipboard
verified publisher icon NigelCunningham

Skip first pass in sasl-pam-mysql authentication

Open gsommavilla opened this issue 2 years ago • 1 comments

I have configured saslauthd + pam + mysql on my machine (debian testing, also tried on Ubuntu 22) to authenticate against a mysql DB.

Whenever I try authentication with credentials (e.g., with testsaslauthd calling libpam) the Pam module does not immediately query the mysql database, but tries the first pass, i.e., if it finds a previous authentication that matches with the password entered, it responds successfully (thus skipping querying the db).

But if I change the password on the DB, each login attempt with the old password is still successful until the first login with the new password occurs.

This looks like the behaviour described by the parameter try_first_pass, but I didn't define it in my PAM configuration.

I would like to be able to change passwords on the mysql DB and have the old password stop working from then on, without necessarily having to restart saslauthd (which resets the value of the first pass) or try the new password.

How can I prevent the first pass from being attempted?

NB: I have asked this also here

  • https://unix.stackexchange.com/questions/738619/skip-first-pass-in-sasl-pam-mysql-authentication
  • https://github.com/linux-pam/linux-pam/issues/545#issuecomment-1455894100 linux-pam guys redirected me to developers of the mysql PAM module

POST SCRIPTUM:

  1. Versions of pam modules:

    Debian testing Ubuntu 22
    libpam-mysql:amd64 0.8.2-2 0.8.1-5build1
    libpam0g:amd64 1.5.2-6 1.4.0-11ubuntu2.3

  2. PAM configurations:

    **Click here to see configurations**

    I have configured in pam.d/ an smtp configuration module like this:

    $ cat /etc/pam.d/smtp
auth       required     pam_nologin.so
auth       sufficient   pam_mysql.so config_file=/etc/mail-pam-mysql.conf
account    sufficient   pam_mysql.so config_file=/etc/mail-pam-mysql.conf
password   required     pam_deny.so

    It uses /etc/mail-pam-mysql.conf which is:

    verbose = 1;
users.host = dbhost;
users.database = dbname;
users.db_user = dbuser;
users.db_passwd = MYDBPASSWORD;
users.password_crypt = 1;
users.table = accountuser;
users.user_column = username;
users.password_column = password;
log.table = log;
log.message_column  = msg;
log.pid_column  = pid;
log.user_column  = user;
log.host_column  = host;
log.time_column  = time;

gsommavilla avatar Mar 06 '23 11:03 gsommavilla

Hi there and apologies for the slow reply.

try_first_pass defaults to true (as the README says). You should explicitly set it to false.

NigelCunningham avatar Jul 29 '23 10:07 NigelCunningham