Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

MySQL: add the option to force sending the password as plain text #18252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jafl wants to merge 4 commits into php:master
base: master
Choose a base branch
Loading
from jafl:mysql-aws-iam-token

Conversation

Copy link

@jafl jafl commented Apr 4, 2025
edited
Loading

The use case is authenticating to AWS RDS with an IAM token, which has to be sent in the clear.

  • This re-uses the pam authentication method
  • pdo_mysql: added option MYSQL_ATTR_SEND_CLEAR_PASSWORD
  • mysqlnd: implemented CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA option in order to send auth data longer than 255 bytes

This may solve #10800

devnexen reacted with thumbs up emoji 
* This re-uses the pam authentication method
* pdo_mysql: added option MYSQL_ATTR_SEND_CLEAR_PASSWORD
* mysqlnd: implemented CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA option in order to send auth data longer than 255 bytes
Copy link
Author

jafl commented Apr 4, 2025

Ideally, a similar option should be added to mysqli, but I'll wait with that until people have a chance to review this and decide whether it's the right approach.

@jafl jafl force-pushed the mysql-aws-iam-token branch from a0f9e24 to 93e6505 Compare April 5, 2025 02:57
@@ -68,7 +68,7 @@ mysqlnd_run_authentication(
memcpy(plugin_data, auth_plugin_data.s, plugin_data_len);
plugin_data[plugin_data_len] = '0円';

requested_protocol = mnd_pestrdup(auth_protocol? auth_protocol : MYSQLND_DEFAULT_AUTH_PROTOCOL, FALSE);
requested_protocol = mnd_pestrdup(mysql_flags & CLIENT_SEND_CLEAR_PASSWORD ? MYSQLND_CLEAR_PASSWORD_AUTH_PROTOCOL : (auth_protocol? auth_protocol : MYSQLND_DEFAULT_AUTH_PROTOCOL), FALSE);
Copy link
Member

@kamil-tekiela kamil-tekiela Apr 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this really the correct place to set this? Why not set it where the function is called? auth_protocol is a parameter.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my other comment. There is no way to control the value of auth_protocol that is passed to this function from the PHP layer.

/*
This is a mysqlnd extension. CLIENT_IGNORE_SIGPIPE is not used anyway. We will reuse it for our case and translate it to forcing the mysql_clear_password protocol
*/
#define CLIENT_SEND_CLEAR_PASSWORD CLIENT_IGNORE_SIGPIPE /* Force plaintext password */
Copy link
Member

@kamil-tekiela kamil-tekiela Apr 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What exactly is this for? Can we not use CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sensible, default behavior of mysqlnd is to use the protocol requested by the server, which is mysql_native_password. This protocol is appropriate for authenticating with username & password.

However, AWS AuroraDB also supports sending an IAM token in place of a password, and this must be sent in the clear. The problem is that AuroraDB doesn't know which authentication method the client intends to use, so it always sends mysql_native_password, and it's up to the client to decide how to send the password data.

Thus, there needs to be a way force mysqlnd to send the password in the clear. That is why I introduced this flag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kamil-tekiela kamil-tekiela kamil-tekiela left review comments

@kocsismate kocsismate Awaiting requested review from kocsismate kocsismate is a code owner

@SakiTakamachi SakiTakamachi Awaiting requested review from SakiTakamachi SakiTakamachi is a code owner

@bukka bukka Awaiting requested review from bukka bukka is a code owner

Assignees
No one assigned
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AltStyle によって変換されたページ (->オリジナル) /