RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1820628 - RFE: Backport ability to authenticate to mariadb with auth_ed25519
Summary: RFE: Backport ability to authenticate to mariadb with auth_ed25519
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: python-PyMySQL
Version: 8.2
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: 8.0
Assignee: Michal Schorm
QA Contact: Lukáš Zachar
Lenka Špačková
URL:
Whiteboard:
Depends On: 1885641 1920596
Blocks: 1687309
TreeView+ depends on / blocked
 
Reported: 2020-04-03 13:31 UTC by Damien Ciabrini
Modified: 2021-05-18 16:12 UTC (History)
8 users (show)

Fixed In Version: python-PyMySQL-0.10.1-2.module+el8.4.0+9657+a4b6a102
Doc Type: Enhancement
Doc Text:
.`python-PyMySQL` rebased to version 0.10.1 The `python-PyMySQL` package, which provides the pure-Python MySQL client library, has been updated to version 0.10.1. The package is included in the `python36`, `python38`, and `python39` modules. Notable changes include: * This update adds support for the `ed25519` and `caching_sha2_password` authentication mechanisms. * The default character set in the `python38` and `python39` modules is `utf8mb4`, which aligns with upstream. The `python36` module preserves the default `latin1` character set to maintain compatibility with earlier versions of this module. * In the `python36` module, the `/usr/lib/python3.6/site-packages/pymysql/tests/` directory is no longer available.
Clone Of:
Environment:
Last Closed: 2021-05-18 16:12:12 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github PyMySQL PyMySQL pull 791 0 None closed Add ed25519 auth support 2021-02-16 12:54:28 UTC

Description Damien Ciabrini 2020-04-03 13:31:08 UTC 
Description of problem:
PyMySQL is used in OpenStack by python services to connect to the mariadb database. Currently PyMySQL implements the default authentication protocol [1] to connect the the mariadb server, which is based on SHA-1.

To improve the security of its authentication phase, mariadb has developed an authentication plugin that doesn't rely on SHA-1 anymore but uses a derivative of ed25519 instead [2]. We've been asked in another bugzilla [3] to implement support for this authentication to connect to mariadb in our OpenStack clouds.

The support for auth_ed25519 is available in PyMySQL upstream [4], but it pending a release of python-pynacl [5] upstream to land in PyMySQL.

This bugzilla is to request the inclusion of that review downstream ahead of time so that auth_ed25519 can be enabled and officially supported in our next OpenStack RHOSP 16.1, whose beta is currently targetted for end of may.


[1] https://mariadb.com/kb/en/authentication-plugin-mysql_native_password/
[2] https://mariadb.com/kb/en/authentication-plugin-ed25519/
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1687309 
[4] https://github.com/PyMySQL/PyMySQL/pull/791
[5] https://github.com/pyca/pynacl/issues/573

Version-Release number of selected component (if applicable):
0.9.3

How reproducible:
Always

Steps to Reproduce:
1. create a user in the mariadb database with ed25519 authentication plugin enabled
2. try to connect to the db with user credentials with PyMySQL.

Actual results:
PyMySQL library won't negotiate the connection correctly, because the mariadb will send a ed25519 challenge that is unknown to PyMySQL. 

Expected results:
PyMySQL should be able to detect the ed25519 challenge and connect appropriately

Additional info:
I've proposed the same backport in RDO upstream already in https://github.com/rdo-common/python-PyMySQL/pull/1
Comment 1 Honza Horak 2020-05-12 09:28:24 UTC 
(In reply to Damien Ciabrini from comment #0)
> This bugzilla is to request the inclusion of that review downstream ahead of
> time so that auth_ed25519 can be enabled and officially supported in our
> next OpenStack RHOSP 16.1, whose beta is currently targetted for end of may.

Thanks for reporting this. While this request generally makes sense to me and we really appreciate your direct involvement in the upstream, we need to sync on expectations here, because if you meant may 2020, it is not gonna happen unfortunately.

One reason is that I'm personally not in favour of including this into RHEL before it is approved and included in the upstream. Although there might be exceptions, that is a general rule that allows RHEL to be what it is.

Once it is approved/merged upstream, it will not be available in RHEL within matter of weeks, unless there is an extra business justification to go with an z-stream release -- usually, we will aim the next y-stream RHEL release, which means months.
Comment 2 Damien Ciabrini 2020-07-22 23:33:06 UTC 
(In reply to Honza Horak from comment #1)
> (In reply to Damien Ciabrini from comment #0)
> > This bugzilla is to request the inclusion of that review downstream ahead of
> > time so that auth_ed25519 can be enabled and officially supported in our
> > next OpenStack RHOSP 16.1, whose beta is currently targetted for end of may.
> 
> Thanks for reporting this. While this request generally makes sense to me
> and we really appreciate your direct involvement in the upstream, we need to
> sync on expectations here, because if you meant may 2020, it is not gonna
> happen unfortunately.
>
> One reason is that I'm personally not in favour of including this into RHEL
> before it is approved and included in the upstream. Although there might be
> exceptions, that is a general rule that allows RHEL to be what it is.
> 

Understood, thanks for the explanation.

As a heads up, upstream just merged the support [1] and made a new release for it,
which has landed in rawhide [2] for what it's worth.


[1] https://github.com/PyMySQL/PyMySQL/pull/791
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1858478
Comment 7 Michal Schorm 2020-10-07 13:33:52 UTC 
Hello,

we made a plan to rebase the PyMySQL in both "python36" and "python38" module streams.
That will fulfill your request.

For more info about the rebase, check the linked BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1885641
Comment 9 Michal Schorm 2020-10-19 06:37:54 UTC 
(In reply to Honza Horak from comment #8)
> Michal, please, provide more details about this issue.

I prepared internally a testing version - rebase to the latest release.
I wrote tests for the new functionality. And when I tested the ed25519 authentication mechanism, I found out it can't be used ATM in RHEL, beacuse we don't ship package it requires.

The ed25519 functionality has been added by Damien Ciabrini <dciabrin> in a pull request the PyMySQL upstream merged.
  https://github.com/PyMySQL/PyMySQL/commit/73f977029e2c076719a7ea8d0c3df84cb44ebe7c

Damien introduced the requirement for libsodium libraries (PyNaCl package), which is necessary for the authentication mechanism to work.
The reasons why it couldn't be done any eaiser are well described here, on Damien's blog:
  https://dciabrin.net/posts/2020/09/connecting-to-mariadb-with-auth_ed25519-and-pymysql.html

TL;DR:
  The ed25519 authentication mechanism begins with 32 bytes of random data. MariaDB enhanced the ed25519 protocol, so a user password can be used, instead of the 32 random bytes.
  That caused the fact, that standard libraries and functions that already deals with ed25519 can't be re-used. And only libsodium offered convenient mathematic functions to implement the
  MariaDB way of ed25519 authentication.

---

From what I can say, I believe the ed25519 authentication mechanism is important for MariaDB users, since it is one of the most secure mechanisms.
Opposed to the default one MariaDB use, which is even discouraged for some deploy cases.
  https://mariadb.com/kb/en/authentication-plugin-mysql_native_password/
  Citation from above source:
    | It is not recommended to use the mysql_native_password authentication plugin for new installations that require high password security.
    | If someone is able to both listen to the connection protocol and get a copy of the mysql.user table, then the person would be able to use
    | this information to connect to the MariaDB server. The ed25519 authentication plugin is a more modern authentication plugin that provides
    | simple password authentication using a more secure algorithm.


Based on this, I strongly believe, the pure possibility to use ed25519 in the newer PyMySQL release is important enhancement and we should rebase to this version.
Comment 23 Honza Horak 2021-02-16 17:32:12 UTC 
Submitted a request to update pynacl to 1.4.0 in epel8: https://src.fedoraproject.org/rpms/python-pynacl/pull-request/4
Comment 37 errata-xmlrpc 2021-05-18 16:12:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (python36:3.6 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1930
Note You need to log in before you can comment on or make changes to this bug.