Bug #64063 mysql-proxy does not work with server/client authentication plugins
Submitted: 18 Jan 2012 22:39 Modified: 24 Jan 2012 22:28
Reporter: Zhang Lu Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Proxy: Core Severity:S3 (Non-critical)
Version:0.8.2 OS:Any
Assigned to: CPU Architecture:Any
Tags: mysql-proxy, pam_auth
Triage: Needs Triage: D3 (Medium)

[18 Jan 2012 22:39] Zhang Lu
Description:
When using authentication plugins on the mysql server/client, client can only login directly to the server, not through mysql-proxy
mysql-proxy error logs prints
 ((error)) network-mysqld.c.676: unexpected state for SEND_AUTH_RESULT: 01

How to repeat:
install auth plugin, login through mysql-proxy using external authentication (plugin)
[19 Jan 2012 17:45] Sveta Smirnova
Thank you for the report.

Do you use binary package of MySQL Proxy or compiled it yourself?
[19 Jan 2012 20:19] Zhang Lu
I tried both. They provided same results.
[23 Jan 2012 19:47] Sveta Smirnova
Thank you for the feedback.

I can not repeat described behavior nor with self-compiled version, neither with mysql-proxy-0.8.2-linux-glibc2.3-x86-64bit.tar.gz package. Please provide link to 0.9 binaries you used.
[23 Jan 2012 21:06] Zhang Lu
Well, my bad. I thought I compiled 0.9 but it was 0.8.2.
Here is the details as how to re-pro.

1. Download and install mysql-proxy 0.8.2 (binary from dev.mysql.com)
2. setup mysql server 5.5.19 on same host
3. download and build mysql-auth-pam from https://code.launchpad.net/percona-pam-for-mysql
4. Setup /etc/pam.d/mysqld as following
    #%PAM-1.0
    auth        required      pam_env.so
    auth        sufficient    pam_krb5.so use_first_pass
    auth        required      pam_deny.so

    account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
    account     required      pam_permit.so
5. Install the auth plugin
6. setup a user to use this plugin, the user should have an Unix account/password
7. verify user can login directly to MySQL server using unix account/password
8. try connect user through mysql-proxy port and the following is printed in mysql-proxy error log. Proxy server restarts after that.

2012-01-23 15:25:59: ((error)) network-mysqld.c.676: unexpected state for SEND_AUTH_RESULT: 01
2012-01-23 15:25:59: (debug) chassis-unix-daemon.c:167: 2338 returned: 2338
2012-01-23 15:25:59: (critical) chassis-unix-daemon.c:189: [angel] PID=2338 died on signal=5 (it used 1 kBytes max) ... waiting 3min before restart
2012-01-23 15:26:01: (debug) chassis-unix-daemon.c:121: we are the child: 2353
2012-01-23 15:26:01: (message) mysql-proxy 0.8.2 started
2012-01-23 15:26:01: (debug) max open file-descriptors = 1024
2012-01-23 15:26:01: (message) proxy listening on port :4040
2012-01-23 15:26:01: (message) added read/write backend: 127.0.0.1:3306
2012-01-23 15:26:01: (message) chassis-unix-daemon.c:136: [angel] we try to keep PID=2353 alive
2012-01-23 15:26:01: (debug) chassis-unix-daemon.c:157: waiting for 2353

Clearly, when the user session is authenticated using a plugin, con->auth_result_state is 1 which is not handled, and caused the error.
[24 Jan 2012 18:56] Sveta Smirnova
Thank you for the feedback.

Verified as described.

MySQL Proxy works with test auth plugin bundled with MySQL, but as client compiled with 5.5 libraries is supposed to work with any plugin I think this should be considered as our bug first.
[24 Jan 2012 18:57] Sveta Smirnova
I used a /etc/pam.d/mysqld content as suggested in Percona PAM plugin user manual at http://www.percona.com/doc/percona-pam-for-mysql/manual.html:

auth       required     pam_unix.so
account    required     pam_unix.so
[24 Jan 2012 22:28] Zhang Lu
I have made a quick patch to 0.8.2 and it worked fine with PAM AUTH.

--- src/network-mysqld.c        2011-08-17 10:50:54.000000000 -0400
+++ ../myproxy-0.8.2/src/network-mysqld.c       2012-01-24 17:02:06.000000000 -0500
@@ -661,6 +661,9 @@
                                case MYSQLD_PACKET_OK:
                                        con->state = CON_STATE_READ_QUERY;
                                        break;
+                               case AUTH_PAM_REQUEST:
+                                       con->state = CON_STATE_READ_AUTH_RESULT;
+                                       break;
                                case MYSQLD_PACKET_ERR:
                                        con->state = CON_STATE_ERROR;
                                        break;
--- src/network-mysqld-proto.h  2011-08-17 10:50:54.000000000 -0400
+++ ../myproxy-0.8.2/src/network-mysqld-proto.h 2012-01-24 17:04:32.000000000 -0500
@@ -50,6 +50,7 @@
        #endif

        #define MYSQLD_PACKET_OK   (0)
+       #define AUTH_PAM_REQUEST   (1)
        #define MYSQLD_PACKET_RAW  (0xfa) /* used for proxy.response.type only */
        #define MYSQLD_PACKET_NULL (0xfb) /* 0xfb */
                                          /* 0xfc */
[25 Jan 2012 5:47] Jan Kneschke
Please verify that the code from https://code.launchpad.net/~mysql-proxy-developers/mysql-proxy/0.8 also fixes this issue for you.
[30 Jan 2012 19:00] Sveta Smirnova
Jan,

it asks password, then hangs.