Skip to content

Support for authentication plugins #640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 22, 2015
Merged

Support for authentication plugins #640

merged 1 commit into from
Jan 22, 2015

Conversation

dveeden
Copy link
Contributor

@dveeden dveeden commented Jan 11, 2015

Besides the default mysql_native_password there are more plugins available:

  • mysql_old_password (pre 4.1 passwords, support for it will be dropped in MySQL 5.7)
  • sha256_password (since 5.6?, more secure and stored a salted sha256 hash in authentication_string (instead of storing a non salted SHA1 hash in the password field)
  • unix socket authentication
  • PAM authentication
  • Windows authentication
  • No login (similar to /usr/sbin/nologin)

This PR makes it possible to define users which are authenticated by an authentication plugin.

Possible improvements:

  • Support CREATE USER xxx IDENTIFIED WITH yyy USING zzz
  • It seems like MariaDB 10.x+ uses IDENTIFIED VIA instead if IDENTIFIED WITH
  • There is no good way to change the authentication plugin (See https://bugs.mysql.com/bug.php?id=67449 for details)
  • For sha256_password old_password=2 must be set if you call PASSWORD()
  • The authentication plugin is not loaded automatically

See also:
https://dev.mysql.com/doc/refman/5.7/en/authentication-plugins-available.html
https://mariadb.com/kb/en/mariadb/documentation/plugins/unix_socket-authentication-plugin/
https://mariadb.com/kb/en/mariadb/documentation/plugins/pam-authentication-plugin/

@hunner
Copy link
Contributor

hunner commented Jan 15, 2015

Thanks! Could you squash this into a single commit, or multiple if that would be more apt?

@dveeden
Support authentication plugins
305b0d2 
This uses CREATE USER xxx IDENTIFIED WITH yyy

For tests:
 unix_socket is not loaded by default, so this might require:
 install plugin unix_socket soname 'auth_socket.so';

 The mysql_native_password plugin is available by default and
 allows you to also set a password.
@dveeden
Copy link
Contributor Author

dveeden commented Jan 17, 2015

I've squashed everything into one commit

hunner added a commit that referenced this pull request Jan 22, 2015
@hunner
Merge pull request #640 from dveeden/auth-plugins
bcb6150 
Support for authentication plugins
@hunner hunner merged commit bcb6150 into puppetlabs:master Jan 22, 2015
@cmurphy cmurphy mentioned this pull request Jan 22, 2015
Merged
@dveeden dveeden mentioned this pull request Jan 24, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
feature needs-rebase
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dveeden @hunner