11

I have MySQL proxy running and I have a LUA with a function for read_auth() however the passwords that are passed during authentication are hashed (as expected).

I require them in a format which I can work with and post onwards, so cleartext. Enabling the cleartext plugin on the MySQL client has no effect, I suspect that MySQL proxy is not demanding the client sends it in cleartext so defaults to hashing.

So basically: do you have any ideas on how I would be able to get the clear text authentication details within the read_auth() function of MySQL proxy?

Note: my end goal is to auth with LDAP, however the only way I can get a password (hashed or not) is by actually binding to LDAP, it can not be obtained by searching.

Marcus Hughes
  • 5,123
  • 1
  • 25
  • 39

1 Answers1

8

The MySQL network protocol does not allow passwords to be sent in clear-text, all you could capture is the encrypted version.

However, if you are trying to send (from the client to the server) cleartext, the client side clear text plugin should work...

As of MySQL 5.5.27, to make inadvertent use of this plugin less likely, it is required that clients explicitly enable it. This can be done several ways:

Set the LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN environment variable to a value that begins with 1, Y, or y. This enables the plugin for all client connections.

The mysql, mysqladmin, and mysqlslap client programs support an --enable-cleartext-plugin option that enables the plugin on a per-invocation basis.

The mysql_options() C API function supports a MYSQL_ENABLE_CLEARTEXT_PLUGIN option that enables the plugin on a per-connection basis. Also, any program that uses libmysqlclient and reads option files can enable the plugin by including an enable-cleartext-plugin option in an option group read by the client library.

Alternatively, there are a few other options to authenticate with LDAP. For example, you could use the PAM Authentication Plugin that will let you use any available PAM module to provide authentication services, and there is a pam_ldap module that is easy to configure.

You could also look into using roles and mapping the usernames to roles, so you would have a few roles with permissions and many usernames mapped to those roles. You can find further information on that here.

Further Resources:

Tim
  • 1,583
  • 13
  • 27
  • I am assuming the PAM authentication plugin can't be used with the proxy? – Marcus Hughes Feb 15 '17 at 09:02
  • Pam authentication requires the enterprise version of Mysql but there are a couple open-source implementation. I don't see why it couldn't be used with proxy. I am traveling so I cannot quickly provide links. But if I were doing it and proxy was required I would use the roles method. – Tim Feb 16 '17 at 22:53
  • Just one other quick comment - is there no way you can handle this at the application level? Program your way out if you will... – Tim Feb 16 '17 at 23:01