Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for sha256_password #281

Closed
yukozh opened this issue Jun 26, 2017 · 13 comments
Closed

Add support for sha256_password #281

yukozh opened this issue Jun 26, 2017 · 13 comments

Comments

@yukozh
Copy link

@yukozh yukozh commented Jun 26, 2017

Since Azure will enforce sha256 soon, could you please add support for sha256_password? Or @elemount will help you to implement this. He is working on support sha256_password for each mysql clients.

@bgrainger
Copy link
Member

@bgrainger bgrainger commented Jun 26, 2017

From the documentation:

To connect to the server using an account that authenticates with the sha256_password plugin, you must use either an SSL connection or an unencrypted connection that encrypts the password using RSA, as described later in this section.

I'll initially plan to support just SSL connections. That page doesn't explain how the client side plugin works, other than:

If an SSL connection is used, the password is sent as cleartext but cannot be snooped because the connection is encrypted using SSL.

Perhaps this means it just works the same as mysql_clear_password (in the protocol) and sha256_password is just a signal to the server on how to store the password?

@yukozh
Copy link
Author

@yukozh yukozh commented Jun 26, 2017

@yukozh
Copy link
Author

@yukozh yukozh commented Jun 26, 2017

This is a blocking issue, we have a plan to use MySqlConnector instead of the oracle one in Azure database for MySQL service. But we have enforced sha256, without sha256 supporting, we cannot get our service work with MySqlConnector.

@yukozh
Copy link
Author

@yukozh yukozh commented Jun 26, 2017

BTW, Could you please make the test not only the performance but also the stability. The oracle one lost connection sometimes and has a memory leak bug. That's the one of reasons to switch to yours.

@elemount
Copy link
Contributor

@elemount elemount commented Jun 26, 2017

Hi @bgrainger , sha256_password plugin have two scenario, 1. SSL enabled, it just works like clear password, this scenario only need little effort. 2. SSL does not enabled, and it will use RSA mechanism. Describe in the link https://dev.mysql.com/doc/refman/5.7/en/sha256-pluggable-authentication.html .

@caleblloyd
Copy link
Contributor

@caleblloyd caleblloyd commented Jun 26, 2017

Here is a good Stack Overflow Post on RSA in .NET

In the unencrypted case, the client can optionally provide the server RSA public key locally. This would need a new connection string option such as SHA256 Password Public Key File

@bgrainger
Copy link
Member

@bgrainger bgrainger commented Jun 26, 2017

If the consumer doesn't provide the server RSA public key, the connector library can request it by sending the single byte 01 during authentication. The server will then reply with the public key file. This SO answer gives an example of loading it (I haven't tested it).

@bgrainger
Copy link
Member

@bgrainger bgrainger commented Jun 27, 2017

I've opened a PR that adds sha256_password support for SSL connections only (same as Connector/NET). @kagamine is this sufficient for your needs?

Supporting non-SSL connections requires RSA public-key encryption. I have some WIP code on my sha256-rsa branch but I wasn't able to get it working. EDIT: I found the bug and will just need to clean up the code before I can merge it.

@bgrainger
Copy link
Member

@bgrainger bgrainger commented Jun 27, 2017

if there's a bug in the XOR logic or something else

@elemount has opened PyMySQL/PyMySQL#583 which demonstrates how to write this code in Python.

@yukozh
Copy link
Author

@yukozh yukozh commented Jun 27, 2017

We need both scenario, if you need, @elemount will help you implement that.

@bgrainger
Copy link
Member

@bgrainger bgrainger commented Jun 27, 2017

@kagamine I just found the bug (and edited my previous comment); both scenarios (SSL and non-SSL) will be supported in MySqlConnector.

@bgrainger bgrainger added this to the 1.0 milestone Jun 27, 2017
@bgrainger
Copy link
Member

@bgrainger bgrainger commented Jun 27, 2017

Just updated PR #284 with sha256_password support for SSL connections and RSA public key encryption for non-SSL connections (requires MySQL Server with OpenSSL).

@bgrainger
Copy link
Member

@bgrainger bgrainger commented Jun 29, 2017

Shipped in 0.22.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

4 participants