Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleartext authentication plugin support #327

Merged
merged 5 commits into from
Jun 3, 2015
Merged

Cleartext authentication plugin support #327

merged 5 commits into from
Jun 3, 2015

Conversation

joshuaprunier
Copy link
Contributor

Includes a new "allowClearPasswords" parameter. I have tested the changes with native, old and PAM authenticated accounts against Percona Server versions 5.1.73-14.12, 5.5.42-37.1 and 5.6.23-72.1

julienschmidt
julienschmidt reviewed May 2, 2015
View reviewed changes
README.md
@@ -123,6 +123,15 @@ Default: false
`allowAllFiles=true` disables the file Whitelist for `LOAD DATA LOCAL INFILE` and allows *all* files.
[*Might be insecure!*](http://dev.mysql.com/doc/refman/5.7/en/load-data-local.html)

##### `allowClearPasswords`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe allowCleartextPasswords instead? Might be a bit more descriptive

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good suggestion. That is more descriptive. I will update the references.

@joshuaprunier joshuaprunier mentioned this pull request May 19, 2015
Closed
dveeden
dveeden reviewed May 28, 2015
View reviewed changes
README.md
Valid Values: true, false
Default: false
```
`allowCleartextPasswords=true` allows the usage of the cleartext client side plugin. This can be insecure but is required by the [PAM authentication plugin](http://dev.mysql.com/doc/refman/5.5/en/pam-authentication-plugin.html).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this should reference the 5.6 version of the docs?

What about recommending to use SSL/TLS when using CleartextPasswords?

Copy link

@xaprb xaprb May 29, 2015 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joshuaprunier
Copy link
Contributor Author

Thank you, good suggestions. I will update the documentation url.

@julienschmidt julienschmidt self-assigned this May 29, 2015
@julienschmidt
Copy link
Member

If possible, please also rebase to the current master/HEAD.

@joshuaprunier
Copy link
Contributor Author

All set, should be rebased with master now.

@julienschmidt
Copy link
Member

As @dveeden suggested, recommending TLS might be a good idea.
Otherwise LGTM now

@julienschmidt julienschmidt added this to the v1.3 milestone May 29, 2015
@joshuaprunier
Copy link
Contributor Author

  • EDIT - I changed the first sentence to try and be a little clearer that clear text is only used if the defined account requires it.

How about this? I included a slightly modified section from the cleartext plugin documentation.

allowCleartextPasswords=true allows using the cleartext client side plugin if required by an account, such as one defined with the PAM authentication plugin. Sending passwords in clear text may be a security problem in some configurations. To avoid problems if there is any possibility that the password would be intercepted, clients should connect to MySQL Server using a method that protects the password. Possibilities include SSL, IPsec, or a private network.

@julienschmidt
Copy link
Member

"TLS / SSL" instead of "SSL" and link it to #tls. Otherwise it looks good to me.

julienschmidt
julienschmidt reviewed Jun 3, 2015
View reviewed changes
README.md
Default: false
```

`allowCleartextPasswords=true` allows using the [cleartext client side plugin](http://dev.mysql.com/doc/en/cleartext-authentication-plugin.html) if required by an account, such as one defined with the [PAM authentication plugin](http://dev.mysql.com/doc/en/pam-authentication-plugin.html). Sending passwords in clear text may be a security problem in some configurations. To avoid problems if there is any possibility that the password would be intercepted, clients should connect to MySQL Server using a method that protects the password. Possibilities include [TLS / SSL] (http://dev.mysql.com/doc/en/ssl-connections.html#tls), IPsec, or a private network.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant [TLS / SSL] (#tls), so an anchor in the README.md 😉
But I'll change that after the merge.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes much more sense. Sorry about the confusion. Thank you for fixing it!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And thanks for the PR!

@julienschmidt
Copy link
Member

LGTM

julienschmidt added a commit that referenced this pull request Jun 3, 2015
@julienschmidt
Merge pull request #327 from joshuaprunier/master
b74a6b7 
Cleartext authentication plugin support
@julienschmidt julienschmidt merged commit b74a6b7 into go-sql-driver:master Jun 3, 2015
This was referenced Jun 3, 2015
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@julienschmidt julienschmidt

Labels
enhancement
Projects
None yet
Milestone
v1.3
Development

Successfully merging this pull request may close these issues.
4 participants
@joshuaprunier @julienschmidt @xaprb @dveeden