MDEV-4636 use mysql_cleartext_plugin from auth_pam

add a new command-line option --pam-use-cleartext-plugin

6 files changed, 61 insertions, 14 deletions

diff --git a/mysql-test/suite/plugins/r/pam_cleartext.result b/mysql-test/suite/plugins/r/pam_cleartext.result
new file mode 100644
index 00000000000..00e0e94618e
--- /dev/null
+++ b/mysql-test/suite/plugins/r/pam_cleartext.result
@@ -0,0 +1,10 @@
+install plugin pam soname 'auth_pam.so';
+create user test_pam identified via pam using 'mariadb_mtr';
+create user pam_test;
+grant proxy on pam_test to test_pam;
+show variables like 'pam%';
+Variable_name	Value
+pam_use_cleartext_plugin	ON
+drop user test_pam;
+drop user pam_test;
+uninstall plugin pam;
diff --git a/mysql-test/suite/plugins/t/pam.test b/mysql-test/suite/plugins/t/pam.test
index 68fa349a444..1871e5801a3 100644
--- a/mysql-test/suite/plugins/t/pam.test
+++ b/mysql-test/suite/plugins/t/pam.test
@@ -1,16 +1,5 @@
 
---source include/not_embedded.inc
-
-if (!$AUTH_PAM_SO) {
-  skip No pam auth plugin;
-}
-
-eval install plugin pam soname '$AUTH_PAM_SO';
-create user test_pam identified via pam using 'mariadb_mtr';
-create user pam_test;
-grant proxy on pam_test to test_pam;
-
-let $plugindir=`SELECT @@global.plugin_dir`;
+--source pam_init.inc
 
 --write_file $MYSQLTEST_VARDIR/tmp/pam_good.txt
 not very secret challenge
diff --git a/mysql-test/suite/plugins/t/pam_cleartext.opt b/mysql-test/suite/plugins/t/pam_cleartext.opt
new file mode 100644
index 00000000000..aa270885f0e
--- /dev/null
+++ b/mysql-test/suite/plugins/t/pam_cleartext.opt
@@ -0,0 +1 @@
+--loose-pam-use-cleartext-plugin
diff --git a/mysql-test/suite/plugins/t/pam_cleartext.test b/mysql-test/suite/plugins/t/pam_cleartext.test
new file mode 100644
index 00000000000..e80cff5f476
--- /dev/null
+++ b/mysql-test/suite/plugins/t/pam_cleartext.test
@@ -0,0 +1,12 @@
+
+--source pam_init.inc
+
+show variables like 'pam%';
+
+--error 1
+--exec echo FAIL | $MYSQL_TEST -u test_pam --plugin-dir=$plugindir
+
+drop user test_pam;
+drop user pam_test;
+uninstall plugin pam;
+
diff --git a/mysql-test/suite/plugins/t/pam_init.inc b/mysql-test/suite/plugins/t/pam_init.inc
new file mode 100644
index 00000000000..281666d51a6
--- /dev/null
+++ b/mysql-test/suite/plugins/t/pam_init.inc
@@ -0,0 +1,14 @@
+
+--source include/not_embedded.inc
+
+if (!$AUTH_PAM_SO) {
+  skip No pam auth plugin;
+}
+
+eval install plugin pam soname '$AUTH_PAM_SO';
+create user test_pam identified via pam using 'mariadb_mtr';
+create user pam_test;
+grant proxy on pam_test to test_pam;
+
+let $plugindir=`SELECT @@global.plugin_dir`;
+
diff --git a/plugin/auth_pam/auth_pam.c b/plugin/auth_pam/auth_pam.c
index 4f549142e72..2a06b6a01a6 100644
--- a/plugin/auth_pam/auth_pam.c
+++ b/plugin/auth_pam/auth_pam.c
@@ -154,6 +154,27 @@ static struct st_mysql_auth info =
   pam_auth
 };
 
+static char use_cleartext_plugin;
+static MYSQL_SYSVAR_BOOL(use_cleartext_plugin, use_cleartext_plugin,
+       PLUGIN_VAR_NOCMDARG | PLUGIN_VAR_READONLY,
+       "Use mysql_cleartext_plugin on the client side instead of the dialog "
+       "plugin. This may be needed for compatibility reasons, but it only "
+       "supports simple PAM policies that don't require anything besides "
+       "a password", NULL, NULL, 0);
+
+static struct st_mysql_sys_var* vars[] = {
+  MYSQL_SYSVAR(use_cleartext_plugin),
+  NULL
+};
+
+
+static int init(void *p __attribute__((unused)))
+{
+  if (use_cleartext_plugin)
+    info.client_auth_plugin= "mysql_clear_password";
+  return 0;
+}
+
 maria_declare_plugin(pam)
 {
   MYSQL_AUTHENTICATION_PLUGIN,
@@ -162,11 +183,11 @@ maria_declare_plugin(pam)
   "Sergei Golubchik",
   "PAM based authentication",
   PLUGIN_LICENSE_GPL,
-  NULL,
+  init,
   NULL,
   0x0100,
   NULL,
-  NULL,
+  vars,
   "1.0",
   MariaDB_PLUGIN_MATURITY_BETA
 }