Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-35507

ed25519 authentication plugin create user statement trigger plain text password in audit log

Details

    Description

      for version 10.6.19-15-MariaDB-enterprise while creating user using ed255191 authentication, plain text password writing to audit file.

      Create user statement:
      MariaDB [(none)]> create user ed255191@'%' IDENTIFIED VIA ed25519 USING PASSWORD('Bnfjusdjg@123');
      Query OK, 0 rows affected (0.031 sec)

      Audit log entry:
      20241011 01:24:06,rocky1,root,localhost,4,25,QUERY,,'create user ed255191@\'%\' IDENTIFIED VIA ed25519 USING PASSWORD(\'Bnfjusdjg@123\')',0

      Attachments

        Activity

          test suite

          --source include/have_plugin_auth.inc
          --source include/not_embedded.inc
           
          if (!$SERVER_AUDIT_SO) {
            skip No SERVER_AUDIT plugin;
          }
          if (!$AUTH_ED25519_SO) {
            skip No auth_ed25519 plugin;
          }
          --disable_ps2_protocol
           
          let $MYSQLD_DATADIR= `SELECT @@datadir`;
          let SEARCH_FILE= $MYSQLD_DATADIR/server_audit.log;
           
          install plugin ed25519 soname 'auth_ed25519';
          install plugin server_audit soname 'server_audit';
           
           
          set global server_audit_file_path='server_audit.log';
          set global server_audit_output_type=file;
          set global server_audit_logging=on;
           
          --echo # unsafe to log passwords (pwd-123)
           
          CREATE USER u1 IDENTIFIED BY 'pwd_123';
          create user u2 IDENTIFIED VIA ed25519 USING PASSWORD('pwd_123');
          SET PASSWORD FOR u1 = PASSWORD('pwd_123');
          ALTER USER u1 IDENTIFIED BY 'pwd_123';
          alter user u2 identified VIA ed25519 USING password('pwd-123');
          GRANT ALL ON test TO u1 IDENTIFIED BY "pwd-123";
          GRANT ALL ON test TO u1 identified VIA ed25519 USING password('pwd-123');
          --let SEARCH_PATTERN=pwd_123
          --echo # pattern should not be found
          --source include/search_pattern_in_file.inc
          --echo # pattern should not be found
           
          --echo # cleaunup
          DROP USER u1;
          DROP USER u2;
          set global server_audit_logging=off;
          --remove_file $SEARCH_FILE
          UNINSTALL PLUGIN ed25519;
          UNINSTALL PLUGIN server_audit;
          

          sanja Oleksandr Byelkin added a comment - test suite --source include/have_plugin_auth.inc --source include/not_embedded.inc   if (!$SERVER_AUDIT_SO) { skip No SERVER_AUDIT plugin; } if (!$AUTH_ED25519_SO) { skip No auth_ed25519 plugin; } --disable_ps2_protocol   let $MYSQLD_DATADIR= `SELECT @@datadir`; let SEARCH_FILE= $MYSQLD_DATADIR/server_audit.log;   install plugin ed25519 soname 'auth_ed25519'; install plugin server_audit soname 'server_audit';     set global server_audit_file_path='server_audit.log'; set global server_audit_output_type=file; set global server_audit_logging=on;   --echo # unsafe to log passwords (pwd-123)   CREATE USER u1 IDENTIFIED BY 'pwd_123'; create user u2 IDENTIFIED VIA ed25519 USING PASSWORD('pwd_123'); SET PASSWORD FOR u1 = PASSWORD('pwd_123'); ALTER USER u1 IDENTIFIED BY 'pwd_123'; alter user u2 identified VIA ed25519 USING password('pwd-123'); GRANT ALL ON test TO u1 IDENTIFIED BY "pwd-123"; GRANT ALL ON test TO u1 identified VIA ed25519 USING password('pwd-123'); --let SEARCH_PATTERN=pwd_123 --echo # pattern should not be found --source include/search_pattern_in_file.inc --echo # pattern should not be found   --echo # cleaunup DROP USER u1; DROP USER u2; set global server_audit_logging=off; --remove_file $SEARCH_FILE UNINSTALL PLUGIN ed25519; UNINSTALL PLUGIN server_audit;

          fixed and enhanced code

          --source include/have_plugin_auth.inc
          --source include/not_embedded.inc
           
          if (!$SERVER_AUDIT_SO) {
            skip No SERVER_AUDIT plugin;
          }
          if (!$AUTH_ED25519_SO) {
            skip No auth_ed25519 plugin;
          }
          --disable_ps2_protocol
           
          let $MYSQLD_DATADIR= `SELECT @@datadir`;
          let SEARCH_FILE= $MYSQLD_DATADIR/server_audit.log;
           
          install plugin ed25519 soname 'auth_ed25519';
          install plugin server_audit soname 'server_audit';
           
           
          set global server_audit_file_path='server_audit.log';
          set global server_audit_output_type=file;
          set global server_audit_logging=on;
           
          --echo # unsafe to log passwords (pwd-123)
           
          CREATE USER u1 IDENTIFIED BY 'pwd_123';
          create user u2 IDENTIFIED VIA ed25519 USING PASSWORD('pwd_123');
          SET PASSWORD FOR u1 = PASSWORD('pwd_123');
          ALTER USER u1 IDENTIFIED BY 'pwd_123';
          alter user u2 identified VIA ed25519 USING password('pwd_123');
          GRANT ALL ON test TO u1 IDENTIFIED BY "pwd_123";
          GRANT ALL ON test TO u1 identified VIA ed25519 as password('pwd_123') or ed25519 using password('pwd_123');
          --let SEARCH_PATTERN=pwd_123
          --echo # pattern should not be found
          --source include/search_pattern_in_file.inc
          --echo # pattern should not be found
           
          --echo # cleaunup
          DROP USER u1;
          DROP USER u2;
          set global server_audit_logging=off;
          --remove_file $SEARCH_FILE
          --disable_warnings
          UNINSTALL PLUGIN ed25519;
          UNINSTALL PLUGIN server_audit;
          --enable_warnings
          

          sanja Oleksandr Byelkin added a comment - fixed and enhanced code --source include/have_plugin_auth.inc --source include/not_embedded.inc   if (!$SERVER_AUDIT_SO) { skip No SERVER_AUDIT plugin; } if (!$AUTH_ED25519_SO) { skip No auth_ed25519 plugin; } --disable_ps2_protocol   let $MYSQLD_DATADIR= `SELECT @@datadir`; let SEARCH_FILE= $MYSQLD_DATADIR/server_audit.log;   install plugin ed25519 soname 'auth_ed25519'; install plugin server_audit soname 'server_audit';     set global server_audit_file_path='server_audit.log'; set global server_audit_output_type=file; set global server_audit_logging=on;   --echo # unsafe to log passwords (pwd-123)   CREATE USER u1 IDENTIFIED BY 'pwd_123'; create user u2 IDENTIFIED VIA ed25519 USING PASSWORD('pwd_123'); SET PASSWORD FOR u1 = PASSWORD('pwd_123'); ALTER USER u1 IDENTIFIED BY 'pwd_123'; alter user u2 identified VIA ed25519 USING password('pwd_123'); GRANT ALL ON test TO u1 IDENTIFIED BY "pwd_123"; GRANT ALL ON test TO u1 identified VIA ed25519 as password('pwd_123') or ed25519 using password('pwd_123'); --let SEARCH_PATTERN=pwd_123 --echo # pattern should not be found --source include/search_pattern_in_file.inc --echo # pattern should not be found   --echo # cleaunup DROP USER u1; DROP USER u2; set global server_audit_logging=off; --remove_file $SEARCH_FILE --disable_warnings UNINSTALL PLUGIN ed25519; UNINSTALL PLUGIN server_audit; --enable_warnings

          commit eadcc2a3c4a9f2f465d525a0e5192cd2547e4173 (HEAD -> bb-10.5-MDEV-35507, origin/bb-10.5-MDEV-35507)
          Author: Oleksandr Byelkin <sanja@mariadb.com>
          Date:   Wed Nov 27 14:40:02 2024 +0100
           
              MDEV-35507 ed25519 authentication plugin create user statement trigger plain text password in audit log
              
              Mask also all cases of "password(PWD" in CREATE/ALTER USER and GRANT.
              (minimal fix)
          

          sanja Oleksandr Byelkin added a comment - commit eadcc2a3c4a9f2f465d525a0e5192cd2547e4173 (HEAD -> bb-10.5-MDEV-35507, origin/bb-10.5-MDEV-35507) Author: Oleksandr Byelkin <sanja@mariadb.com> Date: Wed Nov 27 14:40:02 2024 +0100   MDEV-35507 ed25519 authentication plugin create user statement trigger plain text password in audit log Mask also all cases of "password(PWD" in CREATE/ALTER USER and GRANT. (minimal fix)

          ok to push

          serg Sergei Golubchik added a comment - ok to push

          People

            sanja Oleksandr Byelkin
            vigneswara.bandi Venkata Vigneswara Reddy Bandi
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.