[#MDEV-32665] Faking non-existing user during authentication throws confusing "unknown authentication plugin"

[MDEV-32665] Faking non-existing user during authentication throws confusing "unknown authentication plugin" Created: 2023-11-02 Updated: 2023-12-04 Resolved: 2023-12-04
Status:	Closed
Project:	MariaDB Server
Component/s:	Authentication and Privilege System
Affects Version/s:	10.11
Fix Version/s:	N/A

Type:

Bug

Priority:

Major

Reporter:

Vladislav Vaintroub

Assignee:

Sergei Golubchik

Resolution:

Won't Fix

Votes:

Labels:

None

Issue Links:

Relates
relates to	~~MDEV-26715~~	Windows - passwordless login for mari...	Closed

Description

See e.g https://stackoverflow.com/questions/76520710/authentication-plugin-auth-gssapi-client-cannot-be-loaded or https://stackoverflow.com/questions/77266689/sqlx-unknown-authentication-plugin-auth-gssapi-client-mariadb

Since 10.11 (~~MDEV-26715~~), root user can connect using gssapi, e.g if password not provided.

GSSAPI is not supported by non-MariaDB Connectors, with one notable exception of community .NET connector (https://mysqlconnector.net ) . This is not a big deal, as we do not expect 3rd party application to use "root" user in applications, and even if they do, with correct password it would work.

However trying to connect if the user does not exist , and MariaDB "faking" logic copies a root user, that runs authentication sequence, and ends up with "auth_gssapi is not supported".

This

confuses people every time they see it, because they know they have not created gssapi users. There is, for example a claim that mariadb is using different default authentication plugin https://onezeronull.com/2023/10/23/authentication-method-unknown-to-the-client/ (it does not)

Is, with a high probability, a giveaway for "user does not exist" condition, exactly what faking user logic was aimed to fix

Perhaps, existing logic should be changed, so predefined users e.g "root" are not used to fake a non-existing user.

Comments

Comment by Sergei Golubchik [ 2023-12-04 ]

I don't understand, if root will never be used for nonexistent users, then asking for gssapi plugin will be a dead giveaway that root user actually does exist and wasn't renamed, for example, like many do for a bit of extra security.

Also, the first stackoverflow link is, exactly about the root user, so faking is not even an issue here.

The issue is that in the default installation the default user uses authentication plugin that many connectors don't support. I don't know what can be done here, short of reverting ~~MDEV-26715~~.

Comment by Vladislav Vaintroub [ 2023-12-04 ]

I assume it will be fixed this or that way there is some new default authentication plugin like described in MDEV-32618, and once users will start complaining.

Generated at Thu Feb 08 10:33:04 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-32665] Faking non-existing user during authentication throws confusing "unknown authentication plugin" Created: 2023-11-02 Updated: 2023-12-04 Resolved: 2023-12-04