-
-
Notifications
You must be signed in to change notification settings - Fork 618
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not enable mysql_clear_password by default #1617
Comments
With the v3.0.0-rc.1 release that includes the support for cc @sidorares |
thanks for the ping, yeah wanted to review that before final release, after that its going to be more difficult to change api |
I don't think there is any expectation from this library to respect |
Looping in plugin users - @rathboma @silverbullettruck2001 - wdyt? |
What I see the main attack vector is dns poisoning and mysql honeypot server stealing passwords. What we discuss I guess is
sounds reasonable to me |
I agree with the above. Happy to put up a PR to tackle that, though would appreciate a pointer for (2) on where you'd like to see that in the code. For anything dealing with databases, given how sensitive the data that might live in it, having the mechanisms to connect start as secure as possible and then only weaken security at the user's request is important to me. |
Probably here: node-mysql2/lib/commands/auth_switch.js Line 59 in 0229368
add something along the lines of |
I'd be perfectly fine with having it be the library consumer who has to manually opt into using cleartext, and so they would have to deal with |
Hey all, I know I started the original PR that was merged to add cleartext support, but I agree with @MasterOdin that it makes sense for it to be disabled by default. If possible, could it be enabled in some way when instantiating the client on a connection-by-connection basis, rather than through an environment variable, or another static method? |
So as @sidorares suggested higher up the thread, adding a config parameter to mysql.createPool({
enableCleartextPlugin: true
...
})
// this would be amazing |
@MasterOdin would you be able to provide PR with this change?
|
Yeah, neither have I, without also configuring something like ldap alongside it. I agree the best option is to use
I think this is shouldn't be too bad, just haven't yet found time, hoping to at some point this week. |
sorry this has not received enough attention and I did release 3.0 in the end. I'll try to get the above functionality done and release as 3.1 |
probably depends on #1113 in order to be able to add e2e test |
#1552 added support for the
mysql_clear_password
auth plugin, but made it enabled by default. Per the manual docs on it:I would propose to make it disabled by default, and only enable it implicitly if the
LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN
environment variable is set to1
,Y
ory
(per the docs), or that a library consumer can add it themselves viaconfig.authPlugins
(following #1497 being merged to make it easy to reference).The text was updated successfully, but these errors were encountered: