php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #50815 Implement 323 short password hash fallback in mysqlnd
Submitted: 2010-01-21 18:57 UTC Modified: 2012-10-29 08:10 UTC
Votes:10
Avg. Score:4.9 ± 0.3
Reproduced:9 of 9 (100.0%)
Same Version:8 (88.9%)
Same OS:6 (66.7%)
From: jd at cpanel dot net Assigned: mysql (profile)
Status: Wont fix Package: MySQL related
PHP Version: 5.3.1 OS: any
Private report: No CVE-ID: None
View Developer Edit
 [2010-01-21 18:57 UTC] jd at cpanel dot net 
Description:
------------
This is a wishlist item.  We've found it impossible to use the mysqlnd driver for the PHP MySQL extension since it does not support the 323 style short password hash fallback that the normal libmysqlclient handles during authentication.  This means that any mysql users that were added while short password hashes were in use have to change their passwords to long hashes before connecting is possible.

Most likely, this is what bug 44082 was encountering.  There are several other reports of this problem outside the PHP BTS.

The only reference to this limitation I see in the official description of mysqlnd is "The MySQL native driver for PHP does not support the MySQL Server 4.0 or earlier."  ( http://dev.mysql.com/downloads/connector/php-mysqlnd/ )  This is misleading since the 323 short password hashes work fine using libmysqlclient with MySQL 4.1+.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-01-21 19:07 UTC] johannes@php.net 
The old hashing algorithm was insecure, which means passwords could be guessed with little effort. Additionally the last MySQL Server version which depended on this format is 4.0, which is out-of-support by MySQL (see http://www.mysql.com/about/legal/lifecycle/ ) since 2006 (extended support for customers ended 2008-09).

Why do you need an insecure auth mechanism?
 [2010-01-21 19:17 UTC] jd at cpanel dot net 
I'd agree with you there.  They should be using the long hashes.  The problem is when you have a system that's been in place for a very long time and the passwords haven't ever changed.  The short hashes are still in the user table and the existing libmysqlclient happily connects with them.  For some users this makes switching to mysqlnd a very difficult process.  You need to force all of these old account to reenter their passwords so they can be rehashed.

The main point is that if it's insecure to the point where it's worth breaking backward compatability, why do the latest versions of libmysqlclient continue to provide this functionality?  The short hashes in the user table are the security problem, not the ability to send them from the client side, right?
 [2010-03-03 16:57 UTC] chris at geartech dot org 
I am running into this issue with mysqlnd as well; at my work we must keep old passwords on a few daemons to ensure backwards compatibility with proprietary software.  MySQL's website (checking the 5.1 & 5.5 documentation) doesn't have the old password format deprecated in the newer versions, it's merely discouraged.

While I agree that it is an insecure format and deprecating/removing support of it would be ideal, but it seems like support for this password scheme will exist in (major) future versions.
 [2010-08-26 13:31 UTC] uw@php.net
-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: *General Issues
 [2010-08-26 13:31 UTC] uw@php.net 
We mysql guys have no plans adding old insecure password stuff to mysqlnd. As it is assigned to us/me, I'm changing status to what shall be status from our/my perspective: won't fix.
 [2010-08-27 06:00 UTC] aharvey@php.net
-Package: *General Issues +Package: MySQL related
 [2010-08-27 06:00 UTC] aharvey@php.net 
Fix up the package to make this easier to search for.
 [2012-10-26 17:11 UTC] toddr at cpanel dot net 
If all MySQL 5 versions support this hashing scheme, Aren't you kinda overriding a 
user decision to enable short passwords on their MySQL server? It's also not clear 
when the failure happens what the problem is.
 [2012-10-26 17:18 UTC] toddr at cpanel dot net 
If you want to discourage use of the short password method, couldn't you just add 
a configure option to enable this and disable it by default?
 [2012-10-29 08:00 UTC] andrey@php.net 
There is no such thing as discouraging. It is about updating the credentials, so they are more secure. Just use SET PASSWORD and hash the password again.
 [2012-10-29 08:10 UTC] uw@php.net 
I second Andrey: won't fix, http://sqlhack.com/ .
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 19:01:29 2024 UTC