Bug #76052 ALTER USER does not verify auth plugin
Submitted: 25 Feb 2015 17:56 Modified: 26 Mar 2015 21:00
Reporter: Paul DuBois Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Pluggable Authentication Severity:S2 (Serious)
Version:5.7.6 OS:Any
Assigned to: CPU Architecture:Any

[25 Feb 2015 17:56] Paul DuBois 
Description:
CREATE USER verifies the auth plugin bug ALTER USER does not. This can leave the affected account unusable if the plugin does not exist.

How to repeat:
# For new user, plugin is verified
mysql> create user x identified with 'junk';
ERROR 1524 (HY000): Plugin 'junk' is not loaded

mysql> create user x identified with 'mysql_native_password';
Query OK, 0 rows affected (0.01 sec)

# For existing user, plugin is not verified
mysql> alter user x identified with 'junk';
Query OK, 0 rows affected (0.01 sec)

Suggested fix:
ALTER USER should perform same plugin verification as CREATE USER
[26 Mar 2015 21:00] Paul DuBois 
Noted in 5.7.8, 5.8.0 changelogs.

ALTER USER statements that named an authentication plugin did not
check whether the plugin is valid.