Details
-
Type:
Task
-
Status: Closed (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Fix Version/s: 10.4.0
-
Component/s: Authentication and Privilege System
-
Labels:
Description
A user recently found out that the password for his 'root'@'localhost' account was being ignored. It turns out that his build of MariaDB uses unix_socket authentication by default for that user account. However, he was not aware of that, so he still attempted to set a password for this user account. He was also not familiar with the unix_socket plugin, so he was quite confused when he discovered that he could log into MariaDB without supplying a password after he explicitly set one.
The user suggested that it might be worthwhile for the server to throw a warning when a user's provided login password is ignored. For security reasons, it might make sense to only write the warning to the server's error log. Maybe this warning could be toggled on/off based on the value of log_warnings, similar to the other warnings thrown by authentication issues.
I'm not entirely familiar with internals of the authentication plugin API, so I don't know how practical this feature request is with the current implementation.
Attachments
Issue Links
- is blocked by
-
-
- Closed
-
- relates to
-
MDEV-17169 password ignored with root login
-
- Closed
-