Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS RDS IAM authentication doesn't work because pma_password is truncated #16451

Closed
kamilhristov opened this issue Nov 2, 2020 · 4 comments · Fixed by #16452
Closed

AWS RDS IAM authentication doesn't work because pma_password is truncated #16451

kamilhristov opened this issue Nov 2, 2020 · 4 comments · Fixed by #16452
Assignees
@williamdes
Labels
Bug A problem or regression with an existing feature enhancement A feature request for improving phpMyAdmin good first issue has-pr An issue that has a pull request pending that may fix this issue. The pull request may be incomplete help wanted
Projects
issues Enhancements
Milestone
5.1.0

Comments

@kamilhristov
Copy link
Contributor

Is your feature request related to a problem? Please describe.

Currently, phpMyAdmin doesn't work with AWS RDS IAM authentication.

The problem is that the temporary token provided by AWS is bigger than 256 symbols.

https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/classes/Plugins/Auth/AuthenticationCookie.php#L337-L340

Describe the solution you'd like

Would be good if this limit can be changed from config and return an error when the password exceeds the limit.

It is very confusing to silently trim the password.

Is there a reason to trim the password? Maybe don't trim the password at all?
@williamdes
Copy link
Member

Ref: https://sourceforge.net/p/phpmyadmin/bugs/4611/
Added by a4e8d00 "bug #4611 [security] DOS attack with long passwords"

cc @MauricioFauth @ibennetch

@williamdes williamdes added this to the 5.1.0 milestone Nov 2, 2020
@ibennetch
Copy link
Member

ibennetch commented Nov 2, 2020
edited

Nice debugging work.

I'm not sure if there's some historical reason this was in place (I suspect that at one time, MySQL passwords were restricted to a particular length and I'm guessing that at the time phpMyAdmin implemented this limit to restrict the ability of an attacker to send a large password that would effectively DOS the server).

As a result, we probably should maintain a limit, but could raise it (perhaps to 1000 characters) and issue an error message instead of silently failing. I agree that this should be improved.

@ibennetch
Copy link
Member

Nice research there by @williamdes as well. Thanks.

@williamdes williamdes added Bug A problem or regression with an existing feature enhancement A feature request for improving phpMyAdmin good first issue help wanted labels Nov 2, 2020
@williamdes williamdes added this to Needs triage in issues via automation Nov 2, 2020
@williamdes williamdes added this to Triage zone in Enhancements via automation Nov 2, 2020
@williamdes williamdes moved this from Triage zone to Code base in Enhancements Nov 2, 2020
@williamdes williamdes moved this from Needs triage to High priority in issues Nov 2, 2020
@kamilhristov kamilhristov mentioned this issue Nov 2, 2020
Merged
6 tasks
@williamdes williamdes self-assigned this Nov 2, 2020
@williamdes williamdes added the has-pr An issue that has a pull request pending that may fix this issue. The pull request may be incomplete label Nov 2, 2020
williamdes added a commit to williamdes/phpmyadmintest that referenced this issue Nov 4, 2020
@williamdes
Add tests for pull-request phpmyadmin#16452, fix phpmyadmin#16451
16856d1 
Signed-off-by: William Desportes <williamdes@wdes.fr>
williamdes added a commit to williamdes/phpmyadmintest that referenced this issue Nov 4, 2020
@williamdes
Add a ChangeLog entry for phpmyadmin#16451
9f33b47 
Signed-off-by: William Desportes <williamdes@wdes.fr>
issues automation moved this from High priority to Closed Nov 4, 2020
Enhancements automation moved this from Code base to Done Nov 4, 2020
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 5, 2021
@williamdes
Copy link
Member

Bump to 2000 chars in #18123

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@williamdes williamdes

Labels
Bug A problem or regression with an existing feature enhancement A feature request for improving phpMyAdmin good first issue has-pr An issue that has a pull request pending that may fix this issue. The pull request may be incomplete help wanted
Projects
Enhancements
  
Done
issues
  
Closed
Milestone
5.1.0
Development

Successfully merging a pull request may close this issue.

Increase password characters limit during login kamilhristov/phpmyadmin
3 participants
@ibennetch @kamilhristov @williamdes