[MDEV-31839] Interactive clients should print a warning (or error?) when passwords will be transmitted in cleartext - Jira

Details

Type: New Feature
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Fix Version/s: None
Component/s: Authentication and Privilege System, Plugin - pam
Labels:
None

Description

MariaDB Server has two client authentication plugins that can transmit passwords in cleartext:

dialog
mysql_clear_password

It is generally recommended to use TLS encryption when using either of these two client authentication plugins to ensure that passwords are not transmitted in cleartext.

Currently, interactive clients do not raise a warning or error when either of these plugins are used without TLS encryption.

Folks like jcd, markus makela, and esa.korhonen might have some input on how to implement this in a way that works with other MariaDB products.

Attachments

Activity

Ascending order - Click to sort in descending order

Geoff Montee (Inactive) created issue - 2023-08-03 18:08

markus makela added a comment - 2023-08-03 18:17 - edited

One way to pass information in a way that does not require an extra roundtrip like SHOW WARNINGS would require is to use the system variable session tracker. It can be used to pass arbitrary information to the client in the final OK packet sent after authentication. It's a little bit outside of the intended scope of the tracker but given the extremely useful ability to pass arbitrary text data to clients it's (IMO) a pretty nice idea.

This could also be used to deliver out-of-band messages to the client that would not require the use of the existing warning mechanism and could display warnings without needing user interaction. It could even be used to implement a MotD type global messages that would be displayed to connected clients when the administrator sets a global variable to some value.

markus makela added a comment - 2023-08-03 18:17 - edited One way to pass information in a way that does not require an extra roundtrip like SHOW WARNINGS would require is to use the system variable session tracker. It can be used to pass arbitrary information to the client in the final OK packet sent after authentication. It's a little bit outside of the intended scope of the tracker but given the extremely useful ability to pass arbitrary text data to clients it's (IMO) a pretty nice idea. This could also be used to deliver out-of-band messages to the client that would not require the use of the existing warning mechanism and could display warnings without needing user interaction. It could even be used to implement a MotD type global messages that would be displayed to connected clients when the administrator sets a global variable to some value.

Sergei Golubchik added a comment - 2023-09-06 21:39

In 11.3 we'll likely have TLS everywhere, enabled by default. There will be only a minority of users who'd use these plugins over a non-secure connection, as it would require them to disable ssl explicitly in my.cnf.

Sergei Golubchik added a comment - 2023-09-06 21:39 In 11.3 we'll likely have TLS everywhere, enabled by default. There will be only a minority of users who'd use these plugins over a non-secure connection, as it would require them to disable ssl explicitly in my.cnf .

Sergei Golubchik added a comment - 2023-10-04 06:56

markus makela, I'd rather suggest a separate session tracker, like session warning tracker, not sysvar tracker. and it needs a limit of how many warnings to send

Sergei Golubchik added a comment - 2023-10-04 06:56 markus makela , I'd rather suggest a separate session tracker, like session warning tracker, not sysvar tracker. and it needs a limit of how many warnings to send

markus makela added a comment - 2023-10-05 06:00

Yes, a separate session tracker would be ideal. Perhaps something like session_track_warnings=5 to limit it to 5 warnings.

markus makela added a comment - 2023-10-05 06:00 Yes, a separate session tracker would be ideal. Perhaps something like session_track_warnings=5 to limit it to 5 warnings.

Sergei Golubchik added a comment - 2023-10-12 13:42

markus makela, we're diverging. the original issue was about a client-side warning, not about how to send warnings from the server. server side warnings tracker needs a new issue

Sergei Golubchik added a comment - 2023-10-12 13:42 markus makela , we're diverging. the original issue was about a client-side warning, not about how to send warnings from the server. server side warnings tracker needs a new issue

Julien Fritsch made changes - 2023-11-30 16:29

Field	Original Value	New Value
Issue Type	Task [ 3 ]	New Feature [ 2 ]

People

Assignee:: Ralf Gebhardt

Reporter:: Geoff Montee (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2023-08-03 18:08

Updated:: 2025-03-17 01:06

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.