Details
-
Task
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Fixed
-
None
-
None
Description
As discussed on this thread:
https://mariadb.org/history-of-mysql-mariadb-authentication-protocols/#comment-48934
.. there is no existing downgrade protection on the client that could prevent a compromised server from forcing the client down to simple password auth and thereby stealing the long-term credentials.
This defeats one of the stated goals:
"With the goal that not the traffic sniffing, not the mysql.user table, not both together, not even a fully compromised server would be able to recover the password"
A compromised server can downgrade the auth to simple password and thereby recover it on next client authentication.
Attachments
Issue Links
Activity
May be also mysql_old_password, sha256_password, and caching_sha2_password — they all allow a malicious server to get the client password in plain-text.
This is why MYSQL_ENABLE_CLEARTEXT_PLUGIN is not a perfect match. It was introduced to prevent an eavesdropper to see the plain-text password. We can either extend its semantics to cover the case of a malicious server or introduce a new flag, if this is an attack vector we actually consider important.
commit 7e0be5a9191102bcf6cbc47bea61d56ddc0be7a9 (HEAD -> 3.3, origin/3.3)
Author: Georg Richter <georg@mariadb.com>
Date: Tue Sep 14 06:24:56 2021 +0200
CONC-544: restrict authentication plugins
Added new option MARIADB_OPT_RESTRICTED_AUTH (and corresponding
"restricted-auth" option for configuration files) which specifies
one or more comma spearated authentication plugins which are allowed
for authentication.
If the server asks for an authentication plugin not listed in this
option the connect attempt will fail with error CR_PLUGIN_NOT_ALLOWED.
Perhaps a client connector can have some option to limit set of plugins to "secure" ones? May be with MYSQL_ENABLE_CLEARTEXT_PLUGIN or some more appropriate option.