Skip navigation links

MySQL Forums :: Proxy :: Connection pooling trouble with multiple users


Advanced Search

Re: Connection pooling trouble with multiple users
Posted by: Jan Kneschke ()
Date: August 27, 2007 05:35AM

The clear-text password is _never_ transfered in the authentication phase. Which is good security-wise, but bad for letting the proxy authenticate a connection with the server.

On the network we have:
* client connects to server (no data)
* server sends a seed (40 char, one-time, random)
* client sends 40 char hash of (seed + PASSWORD(clear-text-password))
* server compares against the hash(seed + SELECT password FROM mysql.user WHERE username = <username>)

That way we never have the password as clear-text on the wire. (only in SET PASSWORD or GRANT statements).

That means if we want to authenticate client <-> proxy and in a second step proxy <-> server, the proxy needs at least the PASSWORD(clear-text-password) to auth against the server. As this can't be extracted from the HASH(seed + PASSWORD(...)) that the client sends, we need it somewhere in a file in the proxy.

Now that we talk about it ... we could use a SUPER connection to steal the auth-data from the mysql.user table on some host. Something like a distribution lookup table:

user | PASSWORD(text) | host
jan | *747AC837... | 10.0.3.21

Ok, that's at least an idea. It isn't possible yet, but perhaps we can add the non-transparent mode soon.

--
Jan Kneschke, MySQL Enterprise Tools

Options: ReplyQuote


Subject Views Written By Posted
Connection pooling trouble with multiple users 4104 Jesper Juhl 08/24/2007 03:51AM
Re: Connection pooling trouble with multiple users 2513 Jan Kneschke 08/26/2007 09:04AM
Re: Connection pooling trouble with multiple users 2409 Jesper Juhl 08/27/2007 02:48AM
Re: Connection pooling trouble with multiple users 5598 Jan Kneschke 08/27/2007 05:35AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.