Skip to content

Add clientPluginAuth (CLIENT_PLUGIN_AUTH) for authentication handshake #340

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add clientPluginAuth (CLIENT_PLUGIN_AUTH) for authentication handshake #340

wants to merge 1 commit into from

Conversation

DSpeichert
Copy link

This flag is necessary for successful login via auth_socket.so plugin (https://dev.mysql.com/doc/mysql-security-excerpt/5.5/en/socket-authentication-plugin.html)

Fixes #330

@DSpeichert
Copy link
Author

For more information, see: https://bugs.mysql.com/bug.php?id=64055

@julienschmidt
Copy link
Member

LGTM, waiting for Travis CI 😉

@julienschmidt julienschmidt added this to the v1.3 milestone May 14, 2015
@julienschmidt
Copy link
Member

Travis failed..
https://travis-ci.org/go-sql-driver/mysql/jobs/62625711

Somehow this doesn't work well with our "old_password = 1" auth handling:
This server only supports the insecure old password authentication. If you still want to use it, please add 'allowOldPasswords=1' to your DSN. See also https://github.com/go-sql-driver/mysql/wiki/old_passwords

@joshuaprunier
Copy link
Contributor

Setting the CLIENT_PLUGIN_AUTH capability tells the MySQL server that the client supports pluggable authentication. With pluggable authentication the mysql_native_password plugin is assumed by both sides during handshaking, then if the server determines the username provided requires a different authentication method it sends an authentication switch request packet back to the client.

This switch request packet begins with 0xfe and is followed by the name of the authentication plugin and any data the plugin might require. If the CLIENT_PLUGIN_AUTH capability is not supported by the server or client then a packet of only 0xfe is sent which is a signal to switch to old password authentication.

I believe tests failed because writeAuthPacket() in packets.go is not sending the mysql_native_password plugin name so the MySQL server sends an authentication switch request packet and readResultOK() does not support the authentication switch request packet and assumes it is a request to use old password.

In pull request #327 I added code to handle pluggable authentication and the authentication switch request for mysql_old_password and mysql_clear_password which is used by the server side PAM plugin. Support for other authentication plugins could be added in a similar fashion. A quick test of that code showed an auth_socket defined user works without breaking old password compatibility because handshaking assumes mysql_native_password, the server never sends an authentication switch request.

@julienschmidt
Copy link
Member

Fixed by #327

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v1.3
Development

Successfully merging this pull request may close these issues.

Client not compatible with MariaDB 10.0.17-0ubuntu1
3 participants
@DSpeichert @julienschmidt @joshuaprunier