Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 5.5.31
-
Fix Version/s: 5.5.32
-
Component/s: None
-
Labels:None
-
Environment:Linux
Description
MySQL includes a connection option MYSQL_ENABLE_CLEARTEXT_PLUGIN since 5.5.27. The problem is that some other projects does quite dummy check at a time they want to use it, like mysql-connector-odbc-5.2.5-src/driver/connect.c:259 does:
#if (MYSQL_VERSION_ID >= 50527 && MYSQL_VERSION_ID < 50600) || MYSQL_VERSION_ID >= 50607
MariaDB-5.5.31 doesn't include such connection option in its header file, which makes it incompatible from the mysql-connector-odbc-5.2.5 POV – the connector basically does not compile with mariadb-5.5.x.
If there is a reason why mariadb doesn't include MYSQL_ENABLE_CLEARTEXT_PLUGIN, it should be at least properly documented in the header file.
Gliffy Diagrams
Attachments
Issue Links
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
I understand the reason and agree with including it just for compatibility reasons. The question is if it really is a NOP – we should just ensure that specifying it during connection won't break anything.
Okay, let's add it for compatibility reasons, but it won't do anything.
The reason is — but we don't use MySQL's "cleartext" plugin. It is only useful for MySQL closed source PAM plugin. And that plugin has incomplete PAM implementation, that only allows pam modules to ask for a password.
Our PAM plugin uses "dialog" plugin, and implements PAM fully, supporting any number of arbitrary prompts and questions. See https://kb.askmonty.org/en/pam-authentication-plugin/ and http://blog.mariadb.org/security-with-two-step-verification/