[MDEV-12160] Modern alternative to the SHA1 authentication plugin - Jira

Details

Type: Task
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Fix Version/s: 10.1.22, 10.2.5
Component/s: Authentication and Privilege System
Labels:
None

Sprint:
10.1.22

Description

Authentication plugin that

uses a crypto-hash that is considered secure nowadays
does not allow to get the password even if mysql.user is read and the authentication exchange is intercepted
as easy to use as native_mysql_authentication plugin, no public/private key files or anything
pure plugin

Attachments

Issue Links

duplicates

MDEV-12701 ACL secured by SHA1 algorithm too weak/out dated

Closed

relates to

CONJ-501 provide support for authentication plugin ed25519

Closed

MDEV-9804 Implement a caching_sha256_password plugin

Open

MDEV-12320 configurable default authentication plugin for the server

Stalled

MDEV-12321 authentication plugin: SET PASSWORD support

Closed

Activity

Ascending order - Click to sort in descending order

Sergei Golubchik created issue - 2017-03-01 14:08

Rasmus Johansson (Inactive) made changes - 2017-03-01 15:05

Field	Original Value	New Value
Summary	SHA-3 authenticatication plugin	SHA-3 authentication plugin

Sergei Golubchik made changes - 2017-03-01 21:33

Priority

Major [ 3 ]

Critical [ 2 ]

Sergei Golubchik made changes - 2017-03-01 21:50

Summary

SHA-3 authentication plugin

SHA-2 (or SHA-3) authentication plugin

Sergei Golubchik made changes - 2017-03-01 21:52

Description

Authentication plugin that
* uses a crypto-hash that is considered secure nowadays
* does not allow to get the password even if {{mysql.user}} is read and the authentication exchange is intercepted
* as easy to use as native_mysql_authentication plugin, no public/private key files or anything
* pure plugin

Authentication plugin that
* uses a crypto-hash that is considered secure nowadays (*not* SHA-1)
* does not allow to get the password even if {{mysql.user}} is read and the authentication exchange is intercepted
* as easy to use as native_mysql_authentication plugin, no public/private key files or anything
* pure plugin

Sergei Golubchik made changes - 2017-03-01 21:52

Description

Rasmus Johansson (Inactive) made changes - 2017-03-02 12:17

Sprint

10.1.22 [ 143 ]

Sergei Golubchik made changes - 2017-03-06 09:40

Summary

SHA-2 (or SHA-3) authentication plugin

Modern alternative to the SHA1 authentication plugin

Daniel Black added a comment - 2017-03-07 01:40

Probably to help define what is it is, uses:

Slave to master authentication
Application to mariadb server authentication for web scripts etc

Rough thoughts:

Registration:

Using modern authentication, the first use creates a registration with the server with the server and saves one side of the authentication (as a local file) and the server saves the other side (in the users table).
The user is created without permissions
A server administrator with existing permissions creates grants for the user
"Change Master TO" could also use the same registration if PASSWORD was made optional (could help simplify the easiest part of MDEV-7502)
Todo - optional MITM registration protection
( Assumptions: database servers are installed in network environments where the risk of a DoS though registration is low, however its not totally risk free and a post process to enable the registration is required )

Connection:

The client connection will mmap the file used in registration and will use DH aspects of a key exchange to prevent MITM
A shared secret will be provided to the client and stored in shared memory (mmap MAP_SHARED) with the other process by the client plugin using the same user (i.e. php-fpm, and equivalent for other languages)

Subsequent connections:

use a HMAC based authentication from the shared secret in shared memory (for CPU speed in computation and less exchanges compared to DH)

Daniel Black added a comment - 2017-03-07 01:40 Probably to help define what is it is, uses: Slave to master authentication Application to mariadb server authentication for web scripts etc Rough thoughts: Registration: Using modern authentication, the first use creates a registration with the server with the server and saves one side of the authentication (as a local file) and the server saves the other side (in the users table). The user is created without permissions A server administrator with existing permissions creates grants for the user "Change Master TO" could also use the same registration if PASSWORD was made optional (could help simplify the easiest part of MDEV-7502 ) Todo - optional MITM registration protection ( Assumptions: database servers are installed in network environments where the risk of a DoS though registration is low, however its not totally risk free and a post process to enable the registration is required ) Connection: The client connection will mmap the file used in registration and will use DH aspects of a key exchange to prevent MITM A shared secret will be provided to the client and stored in shared memory (mmap MAP_SHARED) with the other process by the client plugin using the same user (i.e. php-fpm, and equivalent for other languages) Subsequent connections: use a HMAC based authentication from the shared secret in shared memory (for CPU speed in computation and less exchanges compared to DH)

Sergei Golubchik added a comment - 2017-03-07 08:46

I'm currently just looking to replace SHA1-based password auth. So the new one should do the same — get the password from the client to the server, so that the server could compare it, without actually seeing or storing the password.

I'd rather avoid saving files on the server or client side, I think it complicates usage.

btw, my working prototype uses ed25519.

Sergei Golubchik added a comment - 2017-03-07 08:46 I'm currently just looking to replace SHA1-based password auth. So the new one should do the same — get the password from the client to the server, so that the server could compare it, without actually seeing or storing the password. I'd rather avoid saving files on the server or client side, I think it complicates usage. btw, my working prototype uses ed25519.

Sergei Golubchik made changes - 2017-03-07 14:01

Status

Open [ 1 ]

In Progress [ 3 ]

Sergei Golubchik made changes - 2017-03-07 17:51

Status

In Progress [ 3 ]

Stalled [ 10000 ]

Sergei Golubchik made changes - 2017-03-10 17:55

Fix Version/s		10.1.22 [ 22502 ]
Fix Version/s		10.2.5 [ 22117 ]
Fix Version/s	10.2 [ 14601 ]
Fix Version/s	5.5 [ 15800 ]
Fix Version/s	10.0 [ 16000 ]
Fix Version/s	10.1 [ 16100 ]
Resolution		Fixed [ 1 ]
Status	Stalled [ 10000 ]	Closed [ 6 ]

Sergei Golubchik made changes - 2017-03-22 10:26

Link

This issue relates to MDEV-9804 [ MDEV-9804 ]

Sergei Golubchik made changes - 2017-03-26 09:22

Link

This issue relates to MDEV-12320 [ MDEV-12320 ]

Sergei Golubchik made changes - 2017-03-26 09:23

Link

This issue relates to ~~MDEV-12321~~ [ ~~MDEV-12321~~ ]

Sergei Golubchik made changes - 2017-05-05 12:34

Link

This issue duplicates ~~MDEV-12701~~ [ ~~MDEV-12701~~ ]

Diego Dupin made changes - 2017-06-29 16:29

Link

This issue relates to ~~CONJ-501~~ [ ~~CONJ-501~~ ]

Sergei Golubchik made changes - 2021-12-06 21:23

Workflow

MariaDB v3 [ 79802 ]

MariaDB v4 [ 133139 ]

People

Assignee:: Sergei Golubchik

Reporter:: Sergei Golubchik

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2017-03-01 14:08

Updated:: 2017-06-29 16:29

Resolved:: 2017-03-10 17:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration