Bug #74313 Add option to restrict logging of passwords in debug log of authentication_pam
Submitted: 10 Oct 2014 9:46 Modified: 11 Dec 2023 22:57
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Pluggable Authentication Severity:S4 (Feature request)
Version:5.6.21 OS:Any
Assigned to: CPU Architecture:Any
Tags: authentication, PAM, plugin, Security

[10 Oct 2014 9:46] Daniël van Eeden 
Description:
If AUTHENTICATION_PAM_LOG is set debug logging is created for the pam authentication plugin. This includes logging of passwords.

http://dev.mysql.com/doc/refman/5.6/en/pam-authentication-plugin.html#pam-authentication-p...

Please add an option to create a debug log without passwords. This enables me to copy/paste debug messages without (accidentally) revealing passwords.

How to repeat:
Enable debug log for pam auth. Then grep for passwords.
[10 Oct 2014 9:51] Daniël van Eeden 
Changed to S4
[23 Nov 2023 11:54] Georgi Kodinov 
Posted by developer:
 
Manual testing of the new feature:

$ export AUTHENTICATION_PAM_LOG=1

entering auth_pam_server
entering auth_pam_next_token
auth_pam_next_token:reading at [system-auth], sep=[,]
auth_pam_next_token:state=PRESPACE, ptr=[system-auth], out=[]
auth_pam_next_token:state=IDENT, ptr=[system-auth], out=[]
auth_pam_next_token:state=AFTERSPACE, ptr=[], out=[system-auth]
auth_pam_next_token:state=DELIMITER, ptr=[], out=[system-auth]
auth_pam_next_token:state=DONE, ptr=[], out=[system-auth]
leaving auth_pam_next_token on /home/gkodinov/dev/B20042010-5.7/internal/plugin/pam-authentication-plugin/src/parser.c:195
auth_pam_server:password received
auth_pam_server:pam_start rc=0
auth_pam_server:pam_set_item(PAM_RUSER,foo) rc=0
auth_pam_server:pam_set_item(PAM_RHOST,localhost) rc=0

$ export AUTHENTICATION_PAM_LOG=PAM_LOG_WITH_SECRET_INFO

entering auth_pam_server
entering auth_pam_next_token
auth_pam_next_token:reading at [system-auth], sep=[,]
auth_pam_next_token:state=PRESPACE, ptr=[system-auth], out=[]
auth_pam_next_token:state=IDENT, ptr=[system-auth], out=[]
auth_pam_next_token:state=AFTERSPACE, ptr=[], out=[system-auth]
auth_pam_next_token:state=DELIMITER, ptr=[], out=[system-auth]
auth_pam_next_token:state=DONE, ptr=[], out=[system-auth]
leaving auth_pam_next_token on /home/gkodinov/dev/B20042010-5.7/internal/plugin/pam-authentication-plugin/src/parser.c:195
auth_pam_server:password foo received
auth_pam_server:pam_start rc=0
auth_pam_server:pam_set_item(PAM_RUSER,foo) rc=0
auth_pam_server:pam_set_item(PAM_RHOST,localhost) rc=0
[23 Nov 2023 16:35] Daniël van Eeden 
That looks great. Thanks.
[11 Dec 2023 22:57] Jon Stephens 
Documented behaviour change as follows in the NDB 7.5.33 and 7.6.29 changelogs, and the MySQL 8.0.36 and 8.3.0 changelogs:

    Beginning with this release, the behavior of the
    AUTHENTICATION_PAM_LOG environment variable used in debugging
    the PAM authentication plugin is changed as follows:

      ·Setting AUTHENTICATION_PAM_LOG to an arbitrary value 
      (except as noted in the next item) no longer includes 
      passwords in its diagnostic messages.

      ·To include passwords in the diagnostic messages, set
      AUTHENTICATION_PAM_LOG=PAM_LOG_WITH_SECRET_INFO.

    For more information, see "PAM Authentication Debugging".

Closed.
[11 Dec 2023 23:02] Jon Stephens 
Change also noted in the indicated section of the MySQL Manual.