[MDEV-35507] ed25519 authentication plugin create user statement trigger plain text password in audit log - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.6
Fix Version/s: 10.5.28, 10.6.21, 10.11.11, 11.4.5, 11.7.2
Component/s: Plugin - Audit
Labels:
None

Description

for version 10.6.19-15-MariaDB-enterprise while creating user using ed255191 authentication, plain text password writing to audit file.

Create user statement:
MariaDB [(none)]> create user ed255191@'%' IDENTIFIED VIA ed25519 USING PASSWORD('Bnfjusdjg@123');
Query OK, 0 rows affected (0.031 sec)

Audit log entry:
20241011 01:24:06,rocky1,root,localhost,4,25,QUERY,,'create user ed255191@\'%\' IDENTIFIED VIA ed25519 USING PASSWORD(\'Bnfjusdjg@123\')',0

Attachments

Activity

Ascending order - Click to sort in descending order

Oleksandr Byelkin added a comment - 2024-11-26 15:38

test suite

--source include/have_plugin_auth.inc

--source include/not_embedded.inc

if (!$SERVER_AUDIT_SO) {

  skip No SERVER_AUDIT plugin;

if (!$AUTH_ED25519_SO) {

  skip No auth_ed25519 plugin;

--disable_ps2_protocol

let $MYSQLD_DATADIR= `SELECT @@datadir`;

let SEARCH_FILE= $MYSQLD_DATADIR/server_audit.log;

install plugin ed25519 soname 'auth_ed25519';

install plugin server_audit soname 'server_audit';

set global server_audit_file_path='server_audit.log';

set global server_audit_output_type=file;

set global server_audit_logging=on;

--echo # unsafe to log passwords (pwd-123)

CREATE USER u1 IDENTIFIED BY 'pwd_123';

create user u2 IDENTIFIED VIA ed25519 USING PASSWORD('pwd_123');

SET PASSWORD FOR u1 = PASSWORD('pwd_123');

ALTER USER u1 IDENTIFIED BY 'pwd_123';

alter user u2 identified VIA ed25519 USING password('pwd-123');

GRANT ALL ON test TO u1 IDENTIFIED BY "pwd-123";

GRANT ALL ON test TO u1 identified VIA ed25519 USING password('pwd-123');

--let SEARCH_PATTERN=pwd_123

--echo # pattern should not be found

--source include/search_pattern_in_file.inc

--echo # pattern should not be found

--echo # cleaunup

DROP USER u1;

DROP USER u2;

set global server_audit_logging=off;

--remove_file $SEARCH_FILE

UNINSTALL PLUGIN ed25519;

UNINSTALL PLUGIN server_audit;

Oleksandr Byelkin added a comment - 2024-11-26 15:38 test suite --source include/have_plugin_auth.inc --source include/not_embedded.inc if (!$SERVER_AUDIT_SO) { skip No SERVER_AUDIT plugin; } if (!$AUTH_ED25519_SO) { skip No auth_ed25519 plugin; } --disable_ps2_protocol let $MYSQLD_DATADIR= `SELECT @@datadir`; let SEARCH_FILE= $MYSQLD_DATADIR/server_audit.log; install plugin ed25519 soname 'auth_ed25519'; install plugin server_audit soname 'server_audit'; set global server_audit_file_path='server_audit.log'; set global server_audit_output_type=file; set global server_audit_logging=on; --echo # unsafe to log passwords (pwd-123) CREATE USER u1 IDENTIFIED BY 'pwd_123'; create user u2 IDENTIFIED VIA ed25519 USING PASSWORD('pwd_123'); SET PASSWORD FOR u1 = PASSWORD('pwd_123'); ALTER USER u1 IDENTIFIED BY 'pwd_123'; alter user u2 identified VIA ed25519 USING password('pwd-123'); GRANT ALL ON test TO u1 IDENTIFIED BY "pwd-123"; GRANT ALL ON test TO u1 identified VIA ed25519 USING password('pwd-123'); --let SEARCH_PATTERN=pwd_123 --echo # pattern should not be found --source include/search_pattern_in_file.inc --echo # pattern should not be found --echo # cleaunup DROP USER u1; DROP USER u2; set global server_audit_logging=off; --remove_file $SEARCH_FILE UNINSTALL PLUGIN ed25519; UNINSTALL PLUGIN server_audit;

Oleksandr Byelkin added a comment - 2024-11-27 13:35

fixed and enhanced code

--source include/have_plugin_auth.inc

--source include/not_embedded.inc

if (!$SERVER_AUDIT_SO) {

  skip No SERVER_AUDIT plugin;

if (!$AUTH_ED25519_SO) {

  skip No auth_ed25519 plugin;

--disable_ps2_protocol

let $MYSQLD_DATADIR= `SELECT @@datadir`;

let SEARCH_FILE= $MYSQLD_DATADIR/server_audit.log;

install plugin ed25519 soname 'auth_ed25519';

install plugin server_audit soname 'server_audit';

set global server_audit_file_path='server_audit.log';

set global server_audit_output_type=file;

set global server_audit_logging=on;

--echo # unsafe to log passwords (pwd-123)

CREATE USER u1 IDENTIFIED BY 'pwd_123';

create user u2 IDENTIFIED VIA ed25519 USING PASSWORD('pwd_123');

SET PASSWORD FOR u1 = PASSWORD('pwd_123');

ALTER USER u1 IDENTIFIED BY 'pwd_123';

alter user u2 identified VIA ed25519 USING password('pwd_123');

GRANT ALL ON test TO u1 IDENTIFIED BY "pwd_123";

GRANT ALL ON test TO u1 identified VIA ed25519 as password('pwd_123') or ed25519 using password('pwd_123');

--let SEARCH_PATTERN=pwd_123

--echo # pattern should not be found

--source include/search_pattern_in_file.inc

--echo # pattern should not be found

--echo # cleaunup

DROP USER u1;

DROP USER u2;

set global server_audit_logging=off;

--remove_file $SEARCH_FILE

--disable_warnings

UNINSTALL PLUGIN ed25519;

UNINSTALL PLUGIN server_audit;

--enable_warnings

Oleksandr Byelkin added a comment - 2024-11-27 13:35 fixed and enhanced code --source include/have_plugin_auth.inc --source include/not_embedded.inc if (!$SERVER_AUDIT_SO) { skip No SERVER_AUDIT plugin; } if (!$AUTH_ED25519_SO) { skip No auth_ed25519 plugin; } --disable_ps2_protocol let $MYSQLD_DATADIR= `SELECT @@datadir`; let SEARCH_FILE= $MYSQLD_DATADIR/server_audit.log; install plugin ed25519 soname 'auth_ed25519'; install plugin server_audit soname 'server_audit'; set global server_audit_file_path='server_audit.log'; set global server_audit_output_type=file; set global server_audit_logging=on; --echo # unsafe to log passwords (pwd-123) CREATE USER u1 IDENTIFIED BY 'pwd_123'; create user u2 IDENTIFIED VIA ed25519 USING PASSWORD('pwd_123'); SET PASSWORD FOR u1 = PASSWORD('pwd_123'); ALTER USER u1 IDENTIFIED BY 'pwd_123'; alter user u2 identified VIA ed25519 USING password('pwd_123'); GRANT ALL ON test TO u1 IDENTIFIED BY "pwd_123"; GRANT ALL ON test TO u1 identified VIA ed25519 as password('pwd_123') or ed25519 using password('pwd_123'); --let SEARCH_PATTERN=pwd_123 --echo # pattern should not be found --source include/search_pattern_in_file.inc --echo # pattern should not be found --echo # cleaunup DROP USER u1; DROP USER u2; set global server_audit_logging=off; --remove_file $SEARCH_FILE --disable_warnings UNINSTALL PLUGIN ed25519; UNINSTALL PLUGIN server_audit; --enable_warnings

Oleksandr Byelkin added a comment - 2024-11-27 14:28

commit eadcc2a3c4a9f2f465d525a0e5192cd2547e4173 (HEAD -> bb-10.5-MDEV-35507, origin/bb-10.5-MDEV-35507)

Author: Oleksandr Byelkin <sanja@mariadb.com>

Date:   Wed Nov 27 14:40:02 2024 +0100

    MDEV-35507 ed25519 authentication plugin create user statement trigger plain text password in audit log

    Mask also all cases of "password(PWD" in CREATE/ALTER USER and GRANT.

    (minimal fix)

Oleksandr Byelkin added a comment - 2024-11-27 14:28 commit eadcc2a3c4a9f2f465d525a0e5192cd2547e4173 (HEAD -> bb-10.5-MDEV-35507, origin/bb-10.5-MDEV-35507) Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Wed Nov 27 14:40:02 2024 +0100 MDEV-35507 ed25519 authentication plugin create user statement trigger plain text password in audit log Mask also all cases of "password(PWD" in CREATE/ALTER USER and GRANT. (minimal fix)

Sergei Golubchik added a comment - 2024-11-27 17:07

ok to push

Sergei Golubchik added a comment - 2024-11-27 17:07 ok to push

People

Assignee:: Oleksandr Byelkin

Reporter:: Venkata Vigneswara Reddy Bandi

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2024-10-11 07:05

Updated:: 2025-03-13 11:40

Resolved:: 2024-11-27 19:31

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server