New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lack of support for sha256_password authentication plugin #1758
Comments
probably needs #1730 to land first. Auth switch is very similar to plugin authentication |
@elemount do you know any more details about what's actually sent with sha256_password handshake? Trying to make simple POC using mysql2 and authSwitch request handler Documentation is not great, from what I see is that password is encrypted using rsa public key if there is no ssl ( and public key is configured ), but not sure what other transformations applied. I can see same 20 bytes salt as wit mysql_native_password. Might just try same |
@sidorares This commit on PyMySQL can explain how sha256_password PyMySQL/PyMySQL@1f62803 . Only about 60 line for whole auth. |
thanks for the link @elemount , very helpful! |
summary from PyMySQL: server: AuthSwitch('sha256_password', 20 bytes salt) ( actually 21, last one is always 0, only 20 used ) if SSL if no SSL and no public key - fail |
And client driver can provide the public key, it no public key, client driver can send packet with 0x01 which means AuthMoreData to retrieve public key. |
2 seems strange. If traffic is unencrypted MITM could replace key then decode passord and re-encode using server key I'm testing using instructions from https://dev.mysql.com/doc/refman/5.7/en/sha256-pluggable-authentication.html - default plugin is still native auth, just one single user with sha256_password created, client connects with this user name/pass and then tries to handle auth switch |
@elemount could you assist me in setting up mysql server? I'm using docker, and it keeps complaining about I suspect version on docker hub is built using YaSSL and does not have rsa support. Do you know any other image that allows easy keys configuration ( or have them pre configured ) ?
|
@sidorares mysql which support sha256_password with RSA must built with openssl, by cmake -DWITH_SSL=system. Default is built with YaSSL. Let me find a way to deliver a MySQL docker image with openssl. |
I'm using MySQL with sha256_password authentication plugin(https://dev.mysql.com/doc/refman/5.7/en/sha256-pluggable-authentication.html).
This mainly because SHA1 which MySQL defaults is not secure. Please refer http://mysqlserverteam.com/protecting-mysql-passwords-with-the-sha256_password-plugin/ and https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know
I fount mysqljs do not support this feature yet? Do you have any plan to support it? If not, could I contribute some code for that?
The text was updated successfully, but these errors were encountered: