1566219 – MySQL long passwords aren't accepted on the command line when using sha256_password authentification plugin

Bug 1566219 - MySQL long passwords aren't accepted on the command line when using sha256_password authentification plugin

Summary: MySQL long passwords aren't accepted on the command line when using sha256_pa...

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Red Hat Software Collections
Classification:	Red Hat
Component:	mysql
Sub Component:
Version:	rh-mysql57
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	3.4
Assignee:	Michal Schorm
QA Contact:	RHEL CS Apps Subsystem QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-11 19:32 UTC by Michal Schorm
Modified:	2020-01-20 00:04 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-12-02 12:19:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Michal Schorm 2018-04-11 19:32:41 UTC

When using:

  mysql -u user -pPASSWORD

MySQL server, if the password string provided is longer that 213 characters and set with sha256_password authentification plugin, will always return:

  ERROR 2000 (HY000): Unknown MySQL error

--

Reproducible on MySQL in RHSCL and Fedora.
MariaDB does not use sha256_password plugin.
RHEL6 is not affected, sha256_password was added since mysql 5.6

Reproducer:



mysql -u root -e "CREATE USER 'user'@'localhost' IDENTIFIED WITH sha256_password;"

mysql -u root -e "SET old_passwords = 2; SET PASSWORD FOR 'sha256u'@'localhost' = PASSWORD('1111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222333333333333333333333333333333333333333333333333334444444444444444444444444444444444444444444444444455555555555555555555555555555555555555555555555555123456');"

# 256 characters long password

mysql -u user -p1111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222333333333333333333333333333333333333333333333333334444444444444444444444444444444444444444444444444455555555555555555555555555555555555555555555555555123456

Comment 3 Joe Orton 2019-12-02 12:19:18 UTC

In accordance with the Red Hat Software Collections Product Life Cycle, the support period for this collection has ended.

New bug fix, enhancement, and security errata updates, as well as technical support services will no longer be made available for this collection.

Customers are encouraged to upgrade to a later release.

Please contact Red Hat Support if you have further questions, or refer to the support lifecycle page for more information. https://access.redhat.com/support/policy/updates/rhscl/

Comment 4 Michal Schorm 2020-01-20 00:04:53 UTC

This issue still exists in MySQL 8.0 version

However in MySQL 8.0 the 'sha256_password' authentication plugin has been deprecated in favor of 'caching_sha2_password' and it will be removed in future MySQL version.

https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/sha256-pluggable-authentication.html

Note You need to log in before you can comment on or make changes to this bug.