Hi!
On Aug 10, Carsten H. Pedersen wrote:
> > http://www.mysql.com/doc/U/s/User_names.html
> > says:
> > >>>
> > MySQL encrypts passwords using a different algorithm than the one used
> > during the Unix login process. See the descriptions of the PASSWORD() and
> > ENCRYPT() functions in section 6.4.12 Miscellaneous Functions. Note
> > that even if the password is stored 'scrambled', and knowing your
> > 'scrambled'
> > password is enough to be able to connect to the MySQL server!
> > >>>
> >
> > How is that possible? Even if you do know someone's scrambled password,
> > when you connect to the MySQL server pretending to be that user, it will
> > ask you for their non-scrambled password. After you type it in,
> > the server
> > will scramble it and check that the scrambled value matches the scrambled
> > value stored in the database -- but you can't intercept that part of the
> > process and insert the "known scrambled" password to be checked.
> >
> > -Bennett
>
> The manual certainly *does* need a clean-up on this.
>
> ---
> 4.3.6 Setting Up Passwords:
> ...When the user jeffrey attempts to connect to the
> server using this password, the mysql client encrypts
> it with PASSWORD() and sends the result to the server.
> The server compares the value in the user table...
> ---
>
> Which would explain why knowing the encrypted password
> is enough to gain access to the server (you would, of
> course, need to write your own version of the mysql
> where you skip the PASSWORD call).
>
> However,
>
> ---
> 4.2.8 Access Control, Stage 1: Connection Verification
> ...The encrypted password is then used when the client/server
> is checking if the password is correct (This is done without
> the encrypted password ever traveling over the connection.) ...
> ---
>
> These two statements surely contradict each other.
>
> / Carsten
> --
> Carsten H. Pedersen
> keeper and maintainer of the bitbybit.dk MySQL FAQ
> http://www.bitbybit.dk/mysqlfaq
Thanks, for pointing this out.
Of course, the second statement is correct - MySQL authentification
protocol is designed to never send anything reusable (e.g. password)
over the wire.
We will fix the manual.
Regards,
Sergei
--
MySQL Development Team
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sergei Golubchik <[EMAIL PROTECTED]>
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/
/_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany
<___/
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
