[MDEV-27215] Interactive password fails if the passphrase is too long Created: 2021-12-09  Updated: 2023-09-19

Status: Confirmed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.5
Fix Version/s: 10.4, 10.5, 10.6

Type: Bug Priority: Major
Reporter: Anthony Bourguignon Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Environment:

Debian bullseye


 Description   

Hi,

There apparently is a bug which cause authentification to fail if the user's password is too long. If you want to test, create a database and a user with a 128 characters long password (I used pwgen 128 1).

Try to connect with those credentials with :
mariadb -h 127.0.0.1 -u <user> -p<password> <database>
and it should work. But if you try the interactive version :
mariadb -h 127.0.0.1 -u <user> -p <database>
the login will fail with the error
ERROR 1045 (28000): Access denied

I've create a bug in the debian tracker if you want to see the tests :
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001385

Thanks

 Comments   
Comment by Daniel Black [ 2021-12-10 ]

Appears to be an 80 limit - https://github.com/MariaDB/server/blob/10.8/mysys/get_password.c#L155

You've probably discovered as a non-interactive the limit is higher or not there at all (command line, MYSQL_PWD env variable).

An actual error of the truncation would be an improvement over Access Denied.

Comment by Anthony Bourguignon [ 2021-12-10 ]

Thanks for you answer. A truncation warning would be an improvement but in my opinion, there shouldn’t be any limitation, like there is apparently not with other methods. Or the limitation should be everywhere. Couldn’t we afford to increase the buffer to at least 1024 characters. Why this arbitrary limit of 80 ?

Thanks again for your fast answer.

Generated at Thu Feb 08 09:51:13 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.