Bug #90567 default authentication required in client though no authentication takes place
Submitted: 23 Apr 2018 8:45 Modified: 23 Apr 2018 11:23
Reporter: Peter Laursen (Basic Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Pluggable Authentication Severity:S3 (Non-critical)
Version:8.011 OS:Any
Assigned to: CPU Architecture:Any

[23 Apr 2018 8:45] Peter Laursen
Description:
Please first refer https://bugs.mysql.com/bug.php?id=90554 wher I explained that I have a brand-new MySQL instance from the .zip pakcage and initialized wiht "mysqld- initialize-insecure"

I start the server with "mysqld --skip-grant-tables --enable-named-pipe" succesfully. When I connect with a client that does not support the new default authentication plugin (using SQLyog 13 build with Connector/C from AMariaDB) I get the error that the client could not load the plugin. This is expected.

But if I start the server wit h"mysqld --skip-grant-tables --enable-named-pipe --default-authentication-plugin=mysql_native_password", then SQLyog connects! And I have access to do everything

How to repeat:
See above. Further I will upload images

Suggested fix:
Is this expected?
[23 Apr 2018 8:45] Peter Laursen
server started without "--default-authentication-plugin=mysql_native_password"

Attachment: a.PNG (image/png, text), 29.99 KiB.

[23 Apr 2018 8:46] Peter Laursen
server started wiht "--default-authentication-plugin=mysql_native_password"

Attachment: b.PNG (image/png, text), 40.81 KiB.

[23 Apr 2018 9:01] Peter Laursen
Or maybe it is the first case that is unexpected? 

If no authentication (username, password) is needed, why then require an authentication plugin at all?
[23 Apr 2018 9:59] Peter Laursen
Yes .. with hindsight I think the bug/oddity here is that requiring a specific authentication plugin in the client makes no sense with --skip-grant-tables as no authentication takes place.

Changed synopsis accordingly and downgraded severity.
[23 Apr 2018 10:25] Peter Laursen
Fixed typos in synopsis.
[23 Apr 2018 10:42] Harin Vadodaria
Hi Peter,

It seems to me that the client tool does not support caching_sha2_password authentication plugin.

Do you observe similar behavior with libmysqlclient based client tool?

Best Regards,
- Harin
[23 Apr 2018 10:50] Peter Laursen
I have already written that it does not. It is built with MariaDB's Connector/c that does not have this plugin currently. 

But that was not the point at all! Why will a spcicific authentication plugin be required in the client when no authentication takes place (ie. when starting server with --skip-grant-tables)? To me this makes no sense.
[23 Apr 2018 10:59] Harin Vadodaria
Hi Peter,

Regardless of --skip-grant-tables mode, there is no change in how server-client goes about initial authentication data exchange. If there is one, it would be used to identify vulnerable servers. It's only after client's reply that server checks --skip-grant-tables and acts accordingly.

So, during connection phase of a new connection, server always sends its default authentication plugin to client. If client chooses to load the plugin and same is not present, it will run into error. This may be what is happening in case of the client tool here. Since it does not know how load server's default plugin it may be stopping before even sending data to server. When you set --default-authentication-plugin to mysql_native_password, tool started working because it knows the mysql_native_password plugin and sends data accordingly.

Please see https://dev.mysql.com/doc/dev/mysql-server/8.0.11/page_protocol_connection_phase.html for details about MySQL server-client protocol.

Best Regards,
- Harin
[23 Apr 2018 11:01] Peter Laursen
OK .. explanation accepted. But it is not logical IMO
[23 Apr 2018 11:18] Harin Vadodaria
Hi Peter,

Can you please elaborate?
As i mentioned, server can not signal that it is running with --skip-grant-tables mode or else it will become target. Further, if client chooses to go ahead with server's default choice then server does not have any control because in such case client aborts connection. Clients like libmysqlclient does not depend on server's defualt and have their own way of choosing authentication mechanism.

Best Regards,
- Harin
[23 Apr 2018 11:23] Peter Laursen
I accepted this explanation: "as I mentioned, server can not signal that it is running with --skip-grant-tables mode or else it will become target" - though as --skip-networking is now implicit, it would be little problem if it did.
[23 Apr 2018 11:36] Harin Vadodaria
Hi Peter,

That's interesting! Yes, we are enabling --skip-networking so scope is limited. However, such an FR would again require client side changes (otherwise it would be a server side hack and imho not a good one).

Best Regards,
- Harin