Bug #100662 Require SSL with PAM LDAP on UNIX Socket seems not to work
Submitted: 27 Aug 2020 13:51 Modified: 27 Aug 2020 15:16
Reporter: Oli Sennhauser Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Pluggable Authentication Severity:S3 (Non-critical)
Version:8.0.21 OS:Linux (n.a.)
Assigned to: CPU Architecture:x86 (n.a.)
Tags: LDAP, PAM, require ssl, socket, SSL

[27 Aug 2020 13:51] Oli Sennhauser
Description:
* If we have an LDAP authenticated user connecting from remote it works.
* If we try connecting with the same user locally via Socket it does NOT work.
* If we revoke REQUIRE SSL from the user it works locally with SSL over Socket.

This behaviour looks strange to us and thus we think it could be a bug.

How to repeat:
mysql@server2> mysql -h server1 -u App1_DEV_Read_User1 -pxxxxxxxxxxxx -P 3306  --enable-cleartext-plugin
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2591090
Server version: 8.0.21-commercial MySQL Enterprise Server - Commercial
 
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
 
SQL> status
--------------
mysql  Ver 8.0.21-commercial for Linux on x86_64 (MySQL Enterprise Server - Commercial)
 
Current user:           App1_DEV_Read_User1@server2.internal.company-group.net
SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384
Server version:         8.0.21-commercial MySQL Enterprise Server - Commercial
Connection:             server1 via TCP/IP
TCP port:               3306

----

mysql@server1> mysql -h server1 -u App1_DEV_Read_User1 -pxxxxxxxxxxxx -P 3306  --enable-cleartext-plugin
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2589022
Server version: 8.0.21-commercial MySQL Enterprise Server - Commercial
 
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
 
SQL> select user(), current_user(), @@proxy_user;
+---------------------------------------------------------+-----------------+--------------+
| user()                                                  | current_user()  | @@proxy_user |
+---------------------------------------------------------+-----------------+--------------+
| App1_DEV_Read_User1@server1.internal.company-group.net  | App1_DEV_Read@% | ''@'%'       |
+---------------------------------------------------------+-----------------+--------------+
 
SQL> status
--------------
mysql  Ver 8.0.21-commercial for Linux on x86_64 (MySQL Enterprise Server - Commercial)
 
Current user:           App1_DEV_Read_User1@server1.internal.company-group.net
SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384
Server version:         8.0.21-commercial MySQL Enterprise Server - Commercial
Connection:             server1 via TCP/IP
TCP port:               3306

                               
SQL> show create user 'App1_DEV_Read'@'%';
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER for App1_DEV_Read@%                                                                                                                                                                               |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER 'App1_DEV_Read'@'%' IDENTIFIED WITH 'mysql_no_login' REQUIRE SSL PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT PASSWORD REQUIRE CURRENT DEFAULT |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

----

mysql@server1> mysql -u App1_DEV_Read_User1 -pxxxxxxxxxxxx -S /u00/app/mysql/admin/mysqld1/socket/mysqld1.sock  --enable-cleartext-plugin --ssl-mode=REQUIRED
mysql: [Warning] Using a password on the command line interface can be insecure.                                                                                                                                                                                          
ERROR 1045 (28000): Access denied for user 'App1_DEV_Read_User1'@'localhost' (using password: YES)                                                                                                                                                                        

MySQL Error Log:

2020-08-27T12:21:02.821582Z 2589078 [Note] [MY-011756] [Server] Plugin authentication_ldap_simple reported: 'User is authenticated as: App1_DEV_Read external user: App1_DEV_Read'
2020-08-27T12:21:02.821693Z 2589078 [Note] [MY-011783] [Server] Plugin authentication_ldap_simple reported: 'Ldap_connection_pool::put connection in pushed in the pool'
2020-08-27T12:21:02.821815Z 2589078 [Note] [MY-011779] [Server] Plugin authentication_ldap_simple reported: 'Ldap_authentication::de_initialize putting back connection in the pool'
2020-08-27T12:21:02.821955Z 2589078 [Note] [MY-010926] [Server] Access denied for user 'App1_DEV_Read_User1'@'localhost' (using password: YES)

----

After:

ALTER USER 'App1_DEV_Read'@'%' REQUIRE NONE;

mysql@server1> mysql -u App1_DEV_Read_User1 -pxxxxxxxxxxxx -S /u00/app/mysql/admin/mysqld1/socket/mysqld1.sock  --enable-cleartext-plugin --ssl-mode=REQUIRED
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2589474
Server version: 8.0.21-commercial MySQL Enterprise Server - Commercial
 
You are enforcing ssl connection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
SQL> status
--------------
mysql  Ver 8.0.21-commercial for Linux on x86_64 (MySQL Enterprise Server - Commercial)
 
Connection id:          2589474
Current user:           App1_DEV_Read_User1@localhost
SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384
Server version:         8.0.21-commercial MySQL Enterprise Server - Commercial
Connection:             Localhost via UNIX socket
UNIX socket:            /u00/app/mysql/admin/mysqld1/socket/mysqld1.sock

Suggested fix:
Allow LDAP authenticated user of Socket with REQUIRE SSL.
[27 Aug 2020 15:16] MySQL Verification Team
Hi Olli,

Thank you for your bug report.

I have managed to repeat it.

Verified as reported.