[MDEV-30840] "Auth Switch Request" is sent with a specific user Created: 2023-03-13  Updated: 2023-03-17  Resolved: 2023-03-17

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Protocol
Affects Version/s: 10.11.2
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: David Rodrigues Assignee: Sergei Golubchik
Resolution: Not a Bug Votes: 0
Labels: None
Environment:

Windows


 Description   

Hello, in an absurdly strange way, depending on the username sent by the package, the server sends an Auth Switch Request to another plugin.

For example, suppose I send a request with the following format:

{{0000 62 00 00 01 08 82 28 01 ff ff ff ff 2d 00 00 00
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0020 00 00 00 00 72 61 6e 64 6f 6d 2d 75 73 65 72 2d
0030 30 2e 35 33 31 38 35 32 39 39 39 37 38 38 32 32
0040 39 32 00 00 6d 61 72 69 61 64 62 5f 61 6c 74 00
0050 6d 79 73 71 6c 5f 6e 61 74 69 76 65 5f 70 61 73
0060 73 77 6f 72 64 00}}

  • Capabilities base: 0x8209 (connect with database, speaks 4.1 protocol, can do 4.1 authentication)
  • Capabilities extended: 0x0128 (plugin auth, plugin auth LENENC client data, deprecate EOF)
  • Capabilities MariaDB: 0.
  • Max packet: 0xFFFFFFFF
  • Charset: 0x2D (utf8mb4_general_ci)
  • Username: random-user-0.5318529997882292
  • Schema: mariadb_alt
  • Client Auth Plugin: mysql_native_password

In this case, the user submitted is "random-user-0.5318529997882292". And it works perfectly and I get an intentional ERR Packet saying the user doesn't exist:

{{0000 61 00 00 02 ff 15 04 23 32 38 30 30 30 41 63 63
0010 65 73 73 20 64 65 6e 69 65 64 20 66 6f 72 20 75
0020 73 65 72 20 27 72 61 6e 64 6f 6d 2d 75 73 65 72
0030 2d 30 2e 35 33 31 38 35 32 39 39 39 37 38 38 32
0040 32 39 32 27 40 27 6c 6f 63 61 6c 68 6f 73 74 27
0050 20 28 75 73 69 6e 67 20 70 61 73 73 77 6f 72 64
0060 3y 20 4e 4f 29}}

  • Packet: ERR Packet (0xFF)
  • Error: 1045
  • SQL State: 28000
  • Message: Access denied for user 'random-user-0.5318529997882292'@'localhost' (using password: NO)

However, if I send the user "random-user-0.5318529997882291" (same amount of data, I just changed the "2" at the end to "1"), the response is:

{{0000 30 00 00 02 fe 63 6c 69 65 6e 74 5f 65 64 32 35
0010 35 31 39 00 fa f4 86 95 e5 17 39 c6 c9 bd 66 b6
0020 c4 34 08 32 4e f5 d5 1a a1 db 8b db bb fe 4c b5
0030 1d 82 02 6a}}

  • Packet: EOF Packet (0xFE)
  • Auth Method Name: client_ed25519
  • Auth Method Data: (...)

For some reason I don't know what it is, some usernames will request a different protocol than the required one, which in this case would be "mysql_native_password".

 Comments   
Comment by David Rodrigues [ 2023-03-16 ]

I did a test with a clean install of MariaDB 10.11.2 and all works fine, without Auth Switch Request.

So I found the reason. I have build the mariadb node driver and run the tests. It creates a lot of testing users. For some reason, when I try to connect and it fails, it try to connect to another users with different connection plugins, but strangely it depends on user name (as examplified before).

Anyway, I just droped users and all works again.

Comment by Sergei Golubchik [ 2023-03-17 ]

This is an intentional obfuscation feature. Imagine, all users use ed25519 plugin. Then if the server would immediately reply with an ERR packet for all non-existent users, one would be able use it to find whether a user exists. Because for an existing user it would've been "auth switch request" to ed25519.

Say, you have many users with ed25519 and only one with mysql_native_password. Then one wouldn't be able to say for sure that a given username doesn't exist (because it could've been a user with mysql_native_password), but "auth switch request" would've definitely mean an existing user.

MariaDB counters that by pretending that all usernames (even from non-existent users) have some auth plugin, with the same probability as for randomly selected existing user. So if 10% existing users use mysql_native_password and 90% users use ed25519, then with random user names you'll get 10% ERR packets and 90% "auth switch to ed25519" packets. And it'll leak no information about what usernames are real.

And it's important to return always the same reply to a given incoming username. If the reaction would be random, sometimes ERR and sometimes "auth switch" for the same username — that would also mean that the user doesn't exist

Comment by David Rodrigues [ 2023-03-17 ]

It's pretty confusing, but upon reflection, it's an amazing strategy indeed!

Generated at Thu Feb 08 10:19:18 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.