Edit report at http://bugs.php.net/bug.php?id=50815&edit=1
ID: 50815
Updated by: ahar...@php.net
Reported by: jd at cpanel dot net
Summary: Implement 323 short password hash fallback in
mysqlnd
Status: Wont fix
Type: Feature/Change Request
-Package: *General Issues
+Package: MySQL related
Operating System: any
PHP Version: 5.3.1
Assigned To: mysql
Block user comment: N
New Comment:
Fix up the package to make this easier to search for.
Previous Comments:
------------------------------------------------------------------------
[2010-08-26 13:31:35] u...@php.net
We mysql guys have no plans adding old insecure password stuff to
mysqlnd. As it is assigned to us/me, I'm changing status to what shall
be status from our/my perspective: won't fix.
------------------------------------------------------------------------
[2010-03-03 16:57:40] chris at geartech dot org
I am running into this issue with mysqlnd as well; at my work we must
keep old passwords on a few daemons to ensure backwards compatibility
with proprietary software. MySQL's website (checking the 5.1 & 5.5
documentation) doesn't have the old password format deprecated in the
newer versions, it's merely discouraged.
While I agree that it is an insecure format and deprecating/removing
support of it would be ideal, but it seems like support for this
password scheme will exist in (major) future versions.
------------------------------------------------------------------------
[2010-01-21 19:17:49] jd at cpanel dot net
I'd agree with you there. They should be using the long hashes. The
problem is when you have a system that's been in place for a very long
time and the passwords haven't ever changed. The short hashes are still
in the user table and the existing libmysqlclient happily connects with
them. For some users this makes switching to mysqlnd a very difficult
process. You need to force all of these old account to reenter their
passwords so they can be rehashed.
The main point is that if it's insecure to the point where it's worth
breaking backward compatability, why do the latest versions of
libmysqlclient continue to provide this functionality? The short hashes
in the user table are the security problem, not the ability to send them
from the client side, right?
------------------------------------------------------------------------
[2010-01-21 19:07:00] johan...@php.net
The old hashing algorithm was insecure, which means passwords could be
guessed with little effort. Additionally the last MySQL Server version
which depended on this format is 4.0, which is out-of-support by MySQL
(see http://www.mysql.com/about/legal/lifecycle/ ) since 2006 (extended
support for customers ended 2008-09).
Why do you need an insecure auth mechanism?
------------------------------------------------------------------------
[2010-01-21 18:57:50] jd at cpanel dot net
Description:
------------
This is a wishlist item. We've found it impossible to use the mysqlnd
driver for the PHP MySQL extension since it does not support the 323
style short password hash fallback that the normal libmysqlclient
handles during authentication. This means that any mysql users that
were added while short password hashes were in use have to change their
passwords to long hashes before connecting is possible.
Most likely, this is what bug 44082 was encountering. There are several
other reports of this problem outside the PHP BTS.
The only reference to this limitation I see in the official description
of mysqlnd is "The MySQL native driver for PHP does not support the
MySQL Server 4.0 or earlier." (
http://dev.mysql.com/downloads/connector/php-mysqlnd/ ) This is
misleading since the 323 short password hashes work fine using
libmysqlclient with MySQL 4.1+.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=50815&edit=1
