[Maria-developers] To Sergei:
Hi Sergei.. just a few questions. Hope not to bother too much! does the .so file of two_questions exist in the mariadb 10.0.2 source code or was that just an example? Also, if I'm looking to implement pluggable authentication for LDAP, does the version of mariadb, i'm doing this on matter? if it does, which version would you recommend? I'm currently on v10.0.2.. What is the advantage of going for a pluggable authentication over say a module made for the PAM plugin in mariadb? Regards Sam
Hi, Samarth! On May 16, Samarth Mathur wrote:
Hi Sergei.. just a few questions. Hope not to bother too much!
does the .so file of two_questions exist in the mariadb 10.0.2 source code or was that just an example?
It certainly does! The source code of the two_questions plugin is in the plugin/auth_examples/dialog_examples.c file.
Also, if I'm looking to implement pluggable authentication for LDAP, does the version of mariadb, i'm doing this on matter? if it does, which version would you recommend? I'm currently on v10.0.2..
It doesn't. 10.0.2 is fine.
What is the advantage of going for a pluggable authentication over say a module made for the PAM plugin in mariadb?
This is a question that I want a project implementor to answer :) Regards, Sergei
just some questions about dialog_example.c, just to check if i understood the source the three_attempts, request 3 times the password, if it's all wrong return CR_ERROR, and user is 'disconnected'? the two_questions, request the password, if wrong, disconnect with CR_ERROR, send the second question, and if it's not == to "yes, of course", return CR_ERROR, else, user is connected? the info->auth_string, is the password of mysql.users table? there's more examples where i could get the user, and check some value inside a mysql.* table? i'm thinking about OTP passwords like google auth
Hi, Roberto! On May 16, Roberto Spadim wrote:
just some questions about dialog_example.c, just to check if i understood the source
the three_attempts, request 3 times the password, if it's all wrong return CR_ERROR, and user is 'disconnected'?
Yes.
the two_questions, request the password, if wrong, disconnect with CR_ERROR, send the second question, and if it's not == to "yes, of course", return CR_ERROR, else, user is connected?
Yes.
the info->auth_string, is the password of mysql.users table?
No, in the CREATE USER xxx IDENTIFIED WITH yyy USING zzz; auth_string is the "zzz" part.
there's more examples where i could get the user, and check some value inside a mysql.* table?
Check the our knowledge base, MySQL manual, and the documentation in the include/mysql/plugin_auth*.h files
i'm thinking about OTP passwords like google auth
See also my talk on the MySQL UC 2010, that includes the code for the S/Key authentication plugin (S/Key is an old one-time passwod system): http://en.oreilly.com/mysql2010/public/schedule/detail/13143 And this my blog post, that shows how to use Google Authenticator with MariaDB: http://blog.mariadb.org/security-with-two-step-verification/ Regards, Sergei
in your example wth s/key it doesn't check password with mysql database? just the key with skey lib? example: Authentication Plugin Example static int skey_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) { unsigned char *pkt; int pkt_len; struct skey mp; char buf[SKEY_MAX_CHALLENGE+3]; buf[0] = 2; /* ordinary question */ if (*skeychallenge*(&mp, info->user_name, buf+1, SKEY_MAX_CHALLENGE) < 0) return CR_ERROR; strcat(buf, ":"); if (*vio->write_packet*(vio, buf, strlen(buf))) return CR_ERROR; if ((pkt_len= *vio->read_packet*(vio, &pkt)) < 0) return CR_ERROR; info->password_used = 1; return *skeyverify*(&mp, pkt) ? CR_ERROR : CR_OK; } Demo $ *mysql --user=sktest* [mariadb] otp-md5 98 janu76882: *HERB JESS BLAB VERB DAWN BEN* Your MariaDB connection id is 3 Server version: 5.2.0-MariaDB-alpha-debug Source distribution MariaDB [test]> *quit* Bye $ *mysql --user=sktest* [mariadb] otp-md5 97 janu76882: *MOS BLOT QUAD JANE HUGE FOOL* Your MariaDB connection id is 4 Server version: 5.2.0-MariaDB-alpha-debug Source distribution MariaDB [test]> *quit* Bye $ *mysql --user=sktest* [mariadb] otp-md5 96 janu76882: *MOS BLOT QUAD JANE HUGE FOOL* ERROR 1045 (28000): Access denied for user 'sktest'@'localhost' (using password: YES)
Hi, Roberto! On May 16, Roberto Spadim wrote:
in your example wth s/key it doesn't check password with mysql database? just the key with skey lib?
Right. It only checks the one-time password. Generally, you can use only one plugin at a time - either mysql_native_password plugin, that checks the mysql user password, or some other plugin, that does something else. Regards, Sergei
nice, thanks sergei i will study it 2013/5/16 Sergei Golubchik <serg@askmonty.org>
Hi, Roberto!
in your example wth s/key it doesn't check password with mysql database? just the key with skey
On May 16, Roberto Spadim wrote: lib?
Right. It only checks the one-time password. Generally, you can use only one plugin at a time - either mysql_native_password plugin, that checks the mysql user password, or some other plugin, that does something else.
Regards, Sergei
-- Roberto Spadim SPAEmpresarial
participants (3)
-
Roberto Spadim -
Samarth Mathur -
Sergei Golubchik