*: Avoid store plaintext password in mysql.user table. #304
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Store hashed password.
| func DecodePassword(pwd string) ([]byte, error) { | ||
| x, err := hex.DecodeString(pwd) | ||
| if err != nil { | ||
| return []byte{}, errors.Trace(err) |
There was a problem hiding this comment.
Why not just return nil instead of []byte{}
|
Shouldn't some salt be used? Or ideally a password hashing library so that someone with cryptographic knowledge can maintain the hashing. |
|
|
||
| // CalcPassword is the algorithm convert hashed password to auth string. | ||
| // See: https://dev.mysql.com/doc/internals/en/secure-password-authentication.html | ||
| // SHA1( password ) XOR SHA1( "20-bytes random data from server" <concat> SHA1( SHA1( password ) ) ) |
There was a problem hiding this comment.
Seems SHA1( SHA1( password ) ) should be SHA1( password ) in comment?
There was a problem hiding this comment.
In the comment "password" is the origin password. Maybe I should change the name of the parameter.
|
@kevincox The salt is a random data generated for each client connection. The parameter scramble of CalcPassword function in auth.go is the salt. |
|
LGTM |
shenli
added a commit
that referenced
this pull request
Oct 7, 2015
*: Avoid store plaintext password in mysql.user table.
|
Ok, I see where the salt comes in but I'm still unconvinced about the overall system. It appears that there is no way to upgrade the hashes in the future and SHA1 is already getting chipped away at. Also three hashes on SHA1 is very very cheep so it won't do much to stop brute force attacks. |
YuJuncen
pushed a commit
to YuJuncen/tidb
that referenced
this pull request
Apr 23, 2021
xhebox
pushed a commit
to xhebox/tidb
that referenced
this pull request
Sep 28, 2021
…_RESULT (pingcap#304) * Support SQL_BIG_RESULT, SQL_SMALL_RESULT, SQL_BUFFER_RESULT * update test case * code formatting * word wrap
xhebox
pushed a commit
to xhebox/tidb
that referenced
this pull request
Oct 8, 2021
…_RESULT (pingcap#304) * Support SQL_BIG_RESULT, SQL_SMALL_RESULT, SQL_BUFFER_RESULT * update test case * code formatting * word wrap
ti-chi-bot
pushed a commit
that referenced
this pull request
Oct 9, 2021
…_RESULT (#304) * Support SQL_BIG_RESULT, SQL_SMALL_RESULT, SQL_BUFFER_RESULT * update test case * code formatting * word wrap
CabinfeverB
pushed a commit
to CabinfeverB/tidb
that referenced
this pull request
Mar 15, 2023
* init Signed-off-by: David <[email protected]> * format errors Signed-off-by: David <[email protected]> * restrict information schema Signed-off-by: David <[email protected]> * fmt Signed-off-by: David <[email protected]> * bazel Signed-off-by: David <[email protected]> * fmt Signed-off-by: David <[email protected]> * disable datadir Signed-off-by: David <[email protected]> * add ttl check for create and alter table Signed-off-by: David <[email protected]> * create table ttl Signed-off-by: David <[email protected]> * address comments Signed-off-by: David <[email protected]> * update error doc Signed-off-by: David <[email protected]> * add the back to the error message Signed-off-by: David <[email protected]> * unblock 'SHOW CONFIG' for lightning Signed-off-by: David <[email protected]> --------- Signed-off-by: David <[email protected]> Co-authored-by: zzm <[email protected]>
rleungx
pushed a commit
to rleungx/tidb
that referenced
this pull request
Feb 26, 2024
* Adds a feature whitelist at planbuild stage (pingcap#304) * init Signed-off-by: David <[email protected]> * format errors Signed-off-by: David <[email protected]> * restrict information schema Signed-off-by: David <[email protected]> * fmt Signed-off-by: David <[email protected]> * bazel Signed-off-by: David <[email protected]> * fmt Signed-off-by: David <[email protected]> * disable datadir Signed-off-by: David <[email protected]> * add ttl check for create and alter table Signed-off-by: David <[email protected]> * create table ttl Signed-off-by: David <[email protected]> * address comments Signed-off-by: David <[email protected]> * update error doc Signed-off-by: David <[email protected]> * add the back to the error message Signed-off-by: David <[email protected]> * unblock 'SHOW CONFIG' for lightning Signed-off-by: David <[email protected]> --------- Signed-off-by: David <[email protected]> Co-authored-by: zzm <[email protected]> Signed-off-by: AmoebaProtozoa <[email protected]> # Conflicts: # ddl/BUILD.bazel # errno/errname.go # util/sem/sem.go * sem placement rule (pingcap#222) sem placement rule Signed-off-by: AmoebaProtozoa <[email protected]> * make check Signed-off-by: AmoebaProtozoa <[email protected]> * change statement config by serverless version (pingcap#247) * change statement config by serverless version --------- Signed-off-by: zeminzhou <[email protected]> Signed-off-by: AmoebaProtozoa <[email protected]> * limit the max_execution_time in serverless tier (pingcap#385) Signed-off-by: AmoebaProtozoa <[email protected]> * off 1pc (pingcap#404) * off 1pc Signed-off-by: ystaticy <[email protected]> --------- Signed-off-by: AmoebaProtozoa <[email protected]> Signed-off-by: zeminzhou <[email protected]> Signed-off-by: ystaticy <[email protected]> Co-authored-by: ystaticy <[email protected]> Co-authored-by: zzm <[email protected]> Co-authored-by: iosmanthus <[email protected]>
rleungx
pushed a commit
to rleungx/tidb
that referenced
this pull request
Feb 26, 2024
* Adds a feature whitelist at planbuild stage (pingcap#304) * init Signed-off-by: David <[email protected]> * format errors Signed-off-by: David <[email protected]> * restrict information schema Signed-off-by: David <[email protected]> * fmt Signed-off-by: David <[email protected]> * bazel Signed-off-by: David <[email protected]> * fmt Signed-off-by: David <[email protected]> * disable datadir Signed-off-by: David <[email protected]> * add ttl check for create and alter table Signed-off-by: David <[email protected]> * create table ttl Signed-off-by: David <[email protected]> * address comments Signed-off-by: David <[email protected]> * update error doc Signed-off-by: David <[email protected]> * add the back to the error message Signed-off-by: David <[email protected]> * unblock 'SHOW CONFIG' for lightning Signed-off-by: David <[email protected]> --------- Signed-off-by: David <[email protected]> Co-authored-by: zzm <[email protected]> Signed-off-by: AmoebaProtozoa <[email protected]> # Conflicts: # ddl/BUILD.bazel # errno/errname.go # util/sem/sem.go * add test flag that can disable feature control (pingcap#328) Signed-off-by: David <[email protected]> Co-authored-by: iosmanthus <[email protected]> * Adds a feature whitelist at planbuild stage (pingcap#304) * init Signed-off-by: David <[email protected]> * format errors Signed-off-by: David <[email protected]> * restrict information schema Signed-off-by: David <[email protected]> * fmt Signed-off-by: David <[email protected]> * bazel Signed-off-by: David <[email protected]> * fmt Signed-off-by: David <[email protected]> * disable datadir Signed-off-by: David <[email protected]> * add ttl check for create and alter table Signed-off-by: David <[email protected]> * create table ttl Signed-off-by: David <[email protected]> * address comments Signed-off-by: David <[email protected]> * update error doc Signed-off-by: David <[email protected]> * add the back to the error message Signed-off-by: David <[email protected]> * unblock 'SHOW CONFIG' for lightning Signed-off-by: David <[email protected]> --------- Signed-off-by: David <[email protected]> Co-authored-by: zzm <[email protected]> Signed-off-by: AmoebaProtozoa <[email protected]> # Conflicts: # ddl/BUILD.bazel # errno/errname.go # util/sem/sem.go * disable validate password (pingcap#465) Signed-off-by: AmoebaProtozoa <[email protected]> * turn on validate password and set special char count to 0 (pingcap#464) * serverless version 16 Signed-off-by: AmoebaProtozoa <[email protected]> * fix typo in comments Signed-off-by: AmoebaProtozoa <[email protected]> * set special char to 0 Signed-off-by: AmoebaProtozoa <[email protected]> --------- Signed-off-by: AmoebaProtozoa <[email protected]> * disabling password validation (pingcap#467) * skip enabling password validation Signed-off-by: AmoebaProtozoa <[email protected]> * fix global variable Signed-off-by: AmoebaProtozoa <[email protected]> --------- Signed-off-by: AmoebaProtozoa <[email protected]> * allow edit waittimeout (pingcap#468) Signed-off-by: AmoebaProtozoa <[email protected]> * allow edit tidb-isolation-read-engines (pingcap#470) Signed-off-by: AmoebaProtozoa <[email protected]> * allow edit tidb_txn_mode (pingcap#471) Signed-off-by: AmoebaProtozoa <[email protected]> * allow edit tidb-cdc-write-source (pingcap#473) Signed-off-by: AmoebaProtozoa <[email protected]> * allow edit tidb_placement_mode (pingcap#474) Signed-off-by: AmoebaProtozoa <[email protected]> * please the checker Signed-off-by: AmoebaProtozoa <[email protected]> * sem enable now returns error on fail Signed-off-by: AmoebaProtozoa <[email protected]> * make check Signed-off-by: AmoebaProtozoa <[email protected]> --------- Signed-off-by: David <[email protected]> Signed-off-by: AmoebaProtozoa <[email protected]> Co-authored-by: iosmanthus <[email protected]> Co-authored-by: zzm <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Store hashed password.