Bug #74417 Need error-message and document when MySQL CLIs exits with --secure-auth=0
Submitted: 16 Oct 2014 9:06 Modified: 14 Jul 2015 6:53
Reporter: tsubasa tanaka (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.7.5, 5.7.6 OS:Any
Assigned to: CPU Architecture:Any
Tags: Docs

[16 Oct 2014 9:06] tsubasa tanaka
Description:
--secure-auth=0 and --skip-secure-auth are deprecated in MySQL 5.7.5.

http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-5.html

Now mysqld allows only 0 and 2 for secure-auth.
Not only mysqld, other Command-Line Clients are same.

1) CLIs's docs are not updated yet.

http://dev.mysql.com/doc/refman/5.7/en/mysql-command-options.html#option_mysql_secure-auth
http://dev.mysql.com/doc/refman/5.7/en/mysqladmin.html#option_mysqladmin_secure-auth
http://dev.mysql.com/doc/refman/5.7/en/mysqlcheck.html#option_mysqlcheck_secure-auth
http://dev.mysql.com/doc/refman/5.7/en/mysqldump.html#option_mysqldump_secure-auth
http://dev.mysql.com/doc/refman/5.7/en/mysqlimport.html#option_mysqlimport_secure-auth
http://dev.mysql.com/doc/refman/5.7/en/mysqlshow.html#option_mysqlshow_secure-auth
http://dev.mysql.com/doc/refman/5.7/en/mysqlslap.html#option_mysqlslap_secure-auth

2) CLI with --secure-auth=0 only shows a one warning-message and usage. I need error-message which shows "CLI exits because secure-auth=0 is not permitted."

How to repeat:
1) See docs.

2) 

$ grep -A4 -r 'if (!opt_secure_auth)' client/
client/mysqlimport.c:    if (!opt_secure_auth)
client/mysqlimport.c-    {
client/mysqlimport.c-      usage();
client/mysqlimport.c-      exit(1);
client/mysqlimport.c-    }
--
client/mysqladmin.cc:    if (!opt_secure_auth)
client/mysqladmin.cc-    {
client/mysqladmin.cc-      usage();
client/mysqladmin.cc-      exit(1);
client/mysqladmin.cc-    }
--
client/mysql.cc:    if (!opt_secure_auth)
client/mysql.cc-    {
client/mysql.cc-      usage(0);
client/mysql.cc-      exit(1);
client/mysql.cc-    }
--
client/check/mysqlcheck.cc:    if (!opt_secure_auth)
client/check/mysqlcheck.cc-    {
client/check/mysqlcheck.cc-      usage();
client/check/mysqlcheck.cc-      exit(1);
client/check/mysqlcheck.cc-    }
--
client/mysqlshow.c:    if (!opt_secure_auth)
client/mysqlshow.c-    {
client/mysqlshow.c-      usage();
client/mysqlshow.c-      exit(1);
client/mysqlshow.c-    }
--
client/mysqlbinlog.cc:    if (!opt_secure_auth)
client/mysqlbinlog.cc-    {
client/mysqlbinlog.cc-      usage();
client/mysqlbinlog.cc-      exit(1);
client/mysqlbinlog.cc-    }
--
client/mysqlslap.c:    if (!opt_secure_auth)
client/mysqlslap.c-    {
client/mysqlslap.c-      usage();
client/mysqlslap.c-      exit(1);
client/mysqlslap.c-    }
--
client/mysqldump.c:    if (!opt_secure_auth)
client/mysqldump.c-    {
client/mysqldump.c-      usage();
client/mysqldump.c-      exit(1);
client/mysqldump.c-    }

There's no information about CLI exits because secure-auth=0.
[16 Oct 2014 10:02] MySQL Verification Team
Hello Tsubasa,

Thank you for the bug report.

Thanks,
Umesh
[16 Oct 2014 10:03] MySQL Verification Team
// with 0,1 and 2 options

[root@cluster-repo mysql-advanced-5.7.6]# bin/mysql -u root -p --secure-auth=1
WARNING: --secure-auth is deprecated and will be removed in a future version
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.6-m16-enterprise-commercial-advanced-log MySQL Enterprise Server - Advanced Edition (Commercial)

Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \q
Bye
[root@cluster-repo mysql-advanced-5.7.6]# bin/mysql -u root -p --secure-auth=2
mysql: [Warning] bin/mysql: ignoring option '--secure-auth' due to invalid value '2'
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.6-m16-enterprise-commercial-advanced-log MySQL Enterprise Server - Advanced Edition (Commercial)

Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \q
Bye

// for --secure-auth=0

[root@cluster-repo mysql-advanced-5.7.6]# bin/mysql -u root -p --secure-auth=0
WARNING: --secure-auth is deprecated and will be removed in a future version
bin/mysql  Ver 14.14 Distrib 5.7.6-m16, for Linux (x86_64) using  EditLine wrapper
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Usage: bin/mysql [OPTIONS] [database]
  -?, --help          Display this help and exit.
  -I, --help          Synonym for -?
  --auto-rehash       Enable automatic rehashing. One doesn't need to use
                      'rehash' to get table and field completion, but startup
                      and reconnecting may take a longer time. Disable with
                      --disable-auto-rehash.
                      (Defaults to on; use --skip-auto-rehash to disable.)
  -A, --no-auto-rehash
                      No automatic rehashing. One has to use 'rehash' to get
                      table and field completion. This gives a quicker start of
                      mysql and disables rehashing on reconnect.
  --auto-vertical-output
                      Automatically switch to vertical output mode if the
                      result is wider than the terminal width.
..
..
[14 Jul 2015 6:53] Erlend Dahl
Fixed in 5.7.6 under the heading of Bug#19438612 HANDLING OF DEPRECATED --SKIP-SECURE-AUTH OPTION PROBLEMATIC

[5 Nov 2014 7:45] Paul Dubois

Noted in 5.7.6 changelog.

For client programs, --secure-auth is now deprecated and
--skip-secure=auth is illegal, but use of --skip-secure-auth resulted
in a warning followed by the help message rather than an error.