| Bug #71359 | Validate and SHA256 plugins do not work together | ||
|---|---|---|---|
| Submitted: | 13 Jan 2014 9:58 | Modified: | 24 Feb 2015 22:38 |
| Reporter: | Daniël van Eeden (OCA) | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: Pluggable Authentication | Severity: | S2 (Serious) |
| Version: | 5.6.14, 5.6.17 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
| Tags: | password, plugin, SHA256, Validation | ||
[13 Jan 2014 9:58]
Daniël van Eeden
[13 Jan 2014 10:02]
Daniël van Eeden
This is only for CREATE USER...IDENTIFIED WITH
The SET PASSWORD does work correctly.
mysql> SET PASSWORD FOR 'sha256val2'@'%'=PASSWORD('fooo');
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
[27 Jan 2014 18:51]
Sveta Smirnova
Thank you for the report. Verified as described.
[1 Jun 2014 15:29]
Daniël van Eeden
Added tags
[26 Jun 2014 18:44]
Todd Farmer
Posted by developer:
The fundamental problem is that there is no support in 5.5 or 5.6 for a single SQL statement which does all three of the following:
1. Creates a new user account
2. Specifies a non-default authentication plugin
3. Specifies a password
Example:
mysql> CREATE USER 'sha256val2'@'%' IDENTIFIED WITH sha256_password BY 'foo';
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near 'BY 'foo'' at line 1
mysql>
(Note that the example ending with ... AS 'foo'; provided earlier simply sets the authentication_string, not password)
If committed to using sha256_password as the default authentication plugin, one can start mysqld with --default_authentication_plugin=sha256_password. This eliminates the need to explicitly define the authentication plugin in the CREATE USER statement, allowing the following:
mysql> CREATE USER 'sha256val3'@'%' IDENTIFIED BY 'foo';
Query OK, 0 rows affected (0.00 sec)
mysql> SELECT user, host, plugin, authentication_string, password
-> FROM mysql.user
-> WHERE user = 'sha256val3'\G
*************************** 1. row ***************************
user: sha256val3
host: %
plugin: sha256_password
>B$iUhLBhP25cP9czoOjuT69kS.w2e/YFUIJvO7jWj4ylC
password:
Of course, this only works when the authentication plugin is defined as the default, so changing --default_authentication_plugin simply transfers the problem to a different plugin:
mysql> CREATE USER 'normal'@'%' IDENTIFIED WITH 'mysql_native_password' BY 'foo';
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near 'BY 'foo'' at line 1
mysql> CREATE USER 'normal'@'%' IDENTIFIED WITH 'mysql_native_password';
Query OK, 0 rows affected (0.00 sec)
To properly fix this, SQL syntax support needs to be added allowing the combination of account creation, authentication plugin and password declaration in a single command. Changing SQL syntax in a maintenance release is not recommended.
[24 Feb 2015 22:38]
Paul DuBois
Noted in 5.7.6 changelog. The validate_password plugin did not properly enforce password constraints for accounts authenticated by the sha256_password authentication plugin.
