Re: Connection pooling trouble with multiple users
Posted by: Jan Kneschke
Date: August 27, 2007 05:35AM
The clear-text password is _never_ transfered in the authentication phase. Which is good security-wise, but bad for letting the proxy authenticate a connection with the server.
On the network we have:
* client connects to server (no data)
* server sends a seed (40 char, one-time, random)
* client sends 40 char hash of (seed + PASSWORD(clear-text-password))
* server compares against the hash(seed + SELECT password FROM mysql.user WHERE username = <username>)
That way we never have the password as clear-text on the wire. (only in SET PASSWORD or GRANT statements).
That means if we want to authenticate client <-> proxy and in a second step proxy <-> server, the proxy needs at least the PASSWORD(clear-text-password) to auth against the server. As this can't be extracted from the HASH(seed + PASSWORD(...)) that the client sends, we need it somewhere in a file in the proxy.
Now that we talk about it ... we could use a SUPER connection to steal the auth-data from the mysql.user table on some host. Something like a distribution lookup table:
user | PASSWORD(text) | host
jan | *747AC837... | 10.0.3.21
Ok, that's at least an idea. It isn't possible yet, but perhaps we can add the non-transparent mode soon.
Jan Kneschke, MySQL Enterprise Tools
Sorry, you can't reply to this topic. It has been closed.
Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.