Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support use of cleartext auth plugin #296

Open
gdw2 opened this issue Jul 2, 2018 · 15 comments

Comments

Projects
None yet
4 participants
@gdw2
Copy link

commented Jul 2, 2018

Steps to reproduce this issue

I don't expect anybody to try to reproduce this obscure issue -- I'm just looking for some general guidance.

I am attempting to connect to a database using the cleartext plugin and AWS IAM authentication, which I am assumig is bundled with the version of libmysql.dll that ships with Heidi. I'm attempting to run Heidi using something like:

set LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1
C:\Users\gdw2\AppData\Local\Programs\HeidiSQL_9.5_Portable\heidisql.exe

Setting the environmental variable should be a substitute for using the mysql CLI option --enable-cleartext-plugin. The CLI works for me.

Current behavior

I get a traditional "Access Denied" popup error.

Expected behavior

Successful connection.

Possible solution

At this point, I'm just looking for a way to verify whether the cleartext plugin has successfully been loaded or what next steps are to debug this. Are there any application logs that I can look at?

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Jul 3, 2018

HeidiSQL does not support such options to be read from environment variables.

Instead, this should either be a checkbox option in the session manager, and perhaps another command line parameter for heidisql.exe. Or it could just be activated for all connections if that does not disturb other authentication mechanisms.

What then has to happen in HeidiSQL's libmysql calls is to add such a call:
mysql_options(FHandle, MYSQL_ENABLE_CLEARTEXT_PLUGIN, 1)

@gdw2

This comment has been minimized.

Copy link
Author

commented Jul 3, 2018

@gdw2

This comment has been minimized.

Copy link
Author

commented Jul 3, 2018

I called Embarcadero and begged for a free Delphi XE5 license so I could possibly contribute a patch for this, but alas, no dice. Please consider this a feature request.

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Jul 3, 2018

Yes, of course.
XE5 is outdated - I cannot recommend buying it. Lazarus is an interesting alternative, although HeidiSQL sources can't compile without tons of modifications.

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Apr 22, 2019

HeidiSQL v10.1 is shipped with an updated mysql_clear_password.dll, and I fixed the broken loading mechanism for plugins. So could you please check if the latest build still does not work with the cleartext plugin?

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented May 26, 2019

No feedback for a month, so I'm closing this now.
If you have feedback just shout.

@chadwhitely

This comment has been minimized.

Copy link
Contributor

commented Jun 10, 2019

I am attempting the exact scenario that gdw2 describes. According to the documentation onthis page, it seems like the server must ask for the plugin to be invoked? However, the RDS server does not seem to perform that callback in order to invoke mysql_clear_password.dll . Additionally, setting the environment variable LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1 did not seem to help. I attempted to perform the whole operation via cmd using:

set LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN=1
"C:\Program Files\HeidiSQL\heidisql.exe" -n=0 -h=xxxx -u=xxxx -p="xxxx"

Edit 1:
I also realized above that you had "LIB" removed from some of it, so I tried this as well, to no avail:

set MYSQL_ENABLE_CLEARTEXT_PLUGIN=1
"C:\Program Files\HeidiSQL\heidisql.exe" -n=0 -h=xxxx -u=xxxx -p="xxxx"

PS - I am clamoring for this functionality because of how great a tool Heidi is. Please don't make me go back to mysql workbench........ Thank you for your hard work.

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Jun 11, 2019

@chadwhitely did you use the latest HeidiSQL build?

The documentation says the cleartext plugin must be explicitly enabled, to avoid inadvertant use:

To make inadvertent use of the mysql_clear_password plugin less likely, MySQL clients must explicitly enable it. This can be done in several ways:

  • Set the LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN environment variable to a value that begins with 1, Y, or y. This enables the plugin for all client connections.
  • The mysql, mysqladmin, and mysqlslap client programs (also mysqlcheck, mysqldump, and mysqlshow for MySQL 5.6.28 and later) support an --enable-cleartext-plugin option that enables the plugin on a per-invocation basis.
  • The mysql_options() C API function supports a MYSQL_ENABLE_CLEARTEXT_PLUGIN option that enables the plugin on a per-connection basis. Also, any program that uses libmysqlclient and reads option files can enable the plugin by including an enable-cleartext-plugin option in an option group read by the client library.

That environment variable is not read by HeidiSQL - I guess the library itself does not read environment variables, but rather expects the client to pass it.

HeidiSQL will need to enable the MYSQL_ENABLE_CLEARTEXT_PLUGIN option to support that. As this is a security issue, it should be a checkbox which the user explicitly has to check.

@ansgarbecker ansgarbecker changed the title Trying to use cleartext auth plugin Support use of cleartext auth plugin Jun 11, 2019

@ansgarbecker ansgarbecker added this to the v10.3 milestone Jun 11, 2019

@ansgarbecker ansgarbecker reopened this Jun 11, 2019

@chadwhitely

This comment has been minimized.

Copy link
Contributor

commented Jun 11, 2019

@ansgarbecker I have issued a pull request for what I think may be close to what is needed. No license here, so just working off of your examples. Hopefully it helps.

@chadwhitely

This comment has been minimized.

Copy link
Contributor

commented Jun 12, 2019

Dang, it's not working. From what I understand, the dlls for using libmysql can only be compiled with a professional version. If I compile heidisql.exe with community edition and just replace the executable, will it utilize libmysql.dll? If so, I could figure out the fix and test it out later tonight. Also, any pointers would help.

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Jun 12, 2019

From what I understand, the dlls for using libmysql can only be compiled with a professional version

No. Where the heck did you read that?

libmysql.dll in the HeidiSQL directory is just a fallback, and is already outdated, but working good on WinXP, where newer libs have problems. Primary library is libmariadb.dll. So, only if the latter one cannot be loaded or found for some reason, libmysql.dll is used. libmariadb.dll does not seem to support that. See this issue report.

So, as a HeidiSQL user, you should be able to delete libmariadb.dll to prefer libmysql.dll, or even copy a newer one from MySQL.

As a long term solution, I already had the idea of separating MySQL from MariaDB in the connection type dropdown. Once the user selects "MySQL over TCP/IP", HeidiSQL then would load libmysql, and "MariaDB over TCP/IP" would load libmariadb. This way I would be able to work around such growing incompatibilities between MySQL and MariaDB.

@chadwhitely

This comment has been minimized.

Copy link
Contributor

commented Jun 13, 2019

I may have misinterpreted something from the forums. Ah well. New lead: I am unsure whether or not cleartext is working, as Aurora RDS requires SSL when using IAM authentication, but I cannot enable SSL without getting an error "No cipher match", similar to #594

@magnetik

This comment has been minimized.

Copy link

commented Jun 18, 2019

Using latest Heidi, I'm now unable to connect to old mysql (using plaintext) servers. Can this be related to this?

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Jun 18, 2019

Did you activate "Enable clear text authentication" in the "Advanced" tab for your session?

@magnetik

This comment has been minimized.

Copy link

commented Jun 19, 2019

[edit] nevermind, the problem was on my side and totally unrelated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.