Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-32665

Faking non-existing user during authentication throws confusing "unknown authentication plugin"

Details

    Description

      See e.g https://stackoverflow.com/questions/76520710/authentication-plugin-auth-gssapi-client-cannot-be-loaded or https://stackoverflow.com/questions/77266689/sqlx-unknown-authentication-plugin-auth-gssapi-client-mariadb

      Since 10.11 (MDEV-26715), root user can connect using gssapi, e.g if password not provided.

      GSSAPI is not supported by non-MariaDB Connectors, with one notable exception of community .NET connector (https://mysqlconnector.net ) . This is not a big deal, as we do not expect 3rd party application to use "root" user in applications, and even if they do, with correct password it would work.

      However trying to connect if the user does not exist , and MariaDB "faking" logic copies a root user, that runs authentication sequence, and ends up with "auth_gssapi is not supported".

      This

      • Is, with a high probability, a giveaway for "user does not exist" condition, exactly what faking user logic was aimed to fix

      Perhaps, existing logic should be changed, so predefined users e.g "root" are not used to fake a non-existing user.

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-26715 Windows - passwordless login for mariadb root user, for OS admin users

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            wlad Vladislav Vaintroub created issue -
            wlad Vladislav Vaintroub made changes -
            Field Original Value New Value
            Description See e.g https://stackoverflow.com/questions/76520710/authentication-plugin-auth-gssapi-client-cannot-be-loaded

            Since 10.11 (MDEV-26715), root user can connect using gssapi, e.g if password not provided.

            GSSAPI is not supported by non-MariaDB Connectors, with one notable exception of community .NET connector (https://mysqlconnector.net ) . This is not a big deal, as we do not expect 3rd party application to use "root" user in applications, and even if they do, with correct password it would work.

            However trying to connect if the user does not exist , and MariaDB "faking" logic copies a root user, that runs authentication sequence, and ends up with "auth_gssapi is not supported".

            This
            - confuses people every time they see it, because they know they have not created gssapi users.

            - Is, with a high probability, a giveaway for "user does not exist" condition, exactly what faking user logic was aimed to fix

            Perhaps, existing logic should be changed, so predefined users e.g "root" are not used to fake a non-existing user.

            		See e.g https://stackoverflow.com/questions/76520710/authentication-plugin-auth-gssapi-client-cannot-be-loaded or https://stackoverflow.com/questions/77266689/sqlx-unknown-authentication-plugin-auth-gssapi-client-mariadb

            Since 10.11 (MDEV-26715), root user can connect using gssapi, e.g if password not provided.

            GSSAPI is not supported by non-MariaDB Connectors, with one notable exception of community .NET connector (https://mysqlconnector.net ) . This is not a big deal, as we do not expect 3rd party application to use "root" user in applications, and even if they do, with correct password it would work.

            However trying to connect if the user does not exist , and MariaDB "faking" logic copies a root user, that runs authentication sequence, and ends up with "auth_gssapi is not supported".

            This
            - confuses people every time they see it, because they know they have not created gssapi users.

            - Is, with a high probability, a giveaway for "user does not exist" condition, exactly what faking user logic was aimed to fix

            Perhaps, existing logic should be changed, so predefined users e.g "root" are not used to fake a non-existing user.

            wlad Vladislav Vaintroub made changes -
            wlad Vladislav Vaintroub made changes -
            Description See e.g https://stackoverflow.com/questions/76520710/authentication-plugin-auth-gssapi-client-cannot-be-loaded or https://stackoverflow.com/questions/77266689/sqlx-unknown-authentication-plugin-auth-gssapi-client-mariadb

            Since 10.11 (MDEV-26715), root user can connect using gssapi, e.g if password not provided.

            GSSAPI is not supported by non-MariaDB Connectors, with one notable exception of community .NET connector (https://mysqlconnector.net ) . This is not a big deal, as we do not expect 3rd party application to use "root" user in applications, and even if they do, with correct password it would work.

            However trying to connect if the user does not exist , and MariaDB "faking" logic copies a root user, that runs authentication sequence, and ends up with "auth_gssapi is not supported".

            This
            - confuses people every time they see it, because they know they have not created gssapi users.

            - Is, with a high probability, a giveaway for "user does not exist" condition, exactly what faking user logic was aimed to fix

            Perhaps, existing logic should be changed, so predefined users e.g "root" are not used to fake a non-existing user.

            		See e.g https://stackoverflow.com/questions/76520710/authentication-plugin-auth-gssapi-client-cannot-be-loaded or https://stackoverflow.com/questions/77266689/sqlx-unknown-authentication-plugin-auth-gssapi-client-mariadb

            Since 10.11 (MDEV-26715), root user can connect using gssapi, e.g if password not provided.

            GSSAPI is not supported by non-MariaDB Connectors, with one notable exception of community .NET connector (https://mysqlconnector.net ) . This is not a big deal, as we do not expect 3rd party application to use "root" user in applications, and even if they do, with correct password it would work.

            However trying to connect if the user does not exist , and MariaDB "faking" logic copies a root user, that runs authentication sequence, and ends up with "auth_gssapi is not supported".

            This
            - confuses people every time they see it, because they know they have not created gssapi users. There is, for example a claim that mariadb is using different default authentication plugin https://onezeronull.com/2023/10/23/authentication-method-unknown-to-the-client/ (it does not)

            - Is, with a high probability, a giveaway for "user does not exist" condition, exactly what faking user logic was aimed to fix

            Perhaps, existing logic should be changed, so predefined users e.g "root" are not used to fake a non-existing user.

            serg Sergei Golubchik added a comment -

            I don't understand, if root will never be used for nonexistent users, then asking for gssapi plugin will be a dead giveaway that root user actually does exist and wasn't renamed, for example, like many do for a bit of extra security.

            Also, the first stackoverflow link is, exactly about the root user, so faking is not even an issue here.

            The issue is that in the default installation the default user uses authentication plugin that many connectors don't support. I don't know what can be done here, short of reverting MDEV-26715.

            serg Sergei Golubchik added a comment - I don't understand, if root will never be used for nonexistent users, then asking for gssapi plugin will be a dead giveaway that root user actually does exist and wasn't renamed, for example, like many do for a bit of extra security. Also, the first stackoverflow link is, exactly about the root user, so faking is not even an issue here. The issue is that in the default installation the default user uses authentication plugin that many connectors don't support. I don't know what can be done here, short of reverting MDEV-26715 .
            serg Sergei Golubchik made changes -
            Fix Version/s N/A [ 14700 ]
            Resolution Won't Fix [ 2 ]
            Status Open [ 1 ] Closed [ 6 ]
            wlad Vladislav Vaintroub added a comment - - edited

            I assume it will be fixed this or that way there is some new default authentication plugin like described in MDEV-32618, and once users will start complaining.

            wlad Vladislav Vaintroub added a comment - - edited I assume it will be fixed this or that way there is some new default authentication plugin like described in MDEV-32618 , and once users will start complaining.

            People

              serg Sergei Golubchik
              wlad Vladislav Vaintroub
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.