MySQL 8.0.4 RC: Be careful when using auth_socket!

MySQL 8.0.4 RC: Be careful when using auth_socket!

The news from the latest MySQL 8.0.4 RC (Candidate edition) is indeed exciting. Unfortunately, for auth_socket plug-in users, the danger is waiting!

As early as November 2015, it was reported that authentication using sha256_password for auth_socket failed. This prevents users identified by the auth_socket plug-in from performing the default authentication method after SHA256 authentication. In MySQL 8.0.4 RC, default_authentication_plugin is changed to caching_sha2_password. I don't know if they have fixed this bug.

The source code for the test is downloaded from dev.mysql.com and compiled using the publish option. Some options are disabled to reduce the build time, set the path prefix, and ensure that the local OpenSSL library is used ::

Version = "$ (basename $ (pwd ))";
Prefix = "/home/ceri/opt/mysql/$ {version }";
Cmake.-DBUILD_CONFIG = mysql_release \
-DCMAKE_INSTALL_PREFIX: PATH = "$ {prefix }"\
-DMYSQL_DATADIR: PATH = "$ {prefix}/data "\
-DWITH_SSL: STRING = system \
-DWITH_ARCHIVE_STORAGE_ENGINE: BOOL = OFF \
-DWITH_EMBEDDED_SERVER: BOOL = OFF \
-DWITH_EXTRA_CHARSETS: STRING = ""\
-DWITH_FEDERATED_STORAGE_ENGINE: BOOL = OFF \
-DWITH_BLACKHOLE_STORAGE_ENGINE: BOOL = OFF \
-DWITH_BOOST = "./$ (find boost/-maxdepth 1-type d-not-name boost )"

After building and building a test, MySQL Sandbox is used to create a test instance and use the low_level_make_sandbox command to obtain some additional control. Then it is necessary to restore default_authentication_plugin because it is changed to mysql_native_password during installation:

$ Low_level_make_sandbox-d mysql-8.0.4-rc -- datadir_from = script \
-B ~ /Opt/mysql/mysql-8.0.4-rc-I 8.0-P 20804
$ Sed-Ei's/^ (default_authentication_plugin = mysql_native_password)/# \ 1/'my. sandbox. cnf

After the instance is started, I created a quick test case. This will install the auth_socket plug-in and create a user to use it to identify itself:

Mysql [localhost] {root} (none)> show global variables like 'default _ authentication_plugin ';
+ ------------------------------- + ----------------------- +
| Variable_name | Value |
+ ------------------------------- + ----------------------- +
| Default_authentication_plugin | caching_sha2_password |
+ ------------------------------- + ----------------------- +
1 row in set (0.00 sec)
Mysql [localhost] {root} (none)> install plugin auth_socket soname 'auth _ socket. so ';
Query OK, 0 rows affected (0.02 sec)
Mysql [localhost] {root} (none)> create user ceri @ localhost identified with auth_socket;
Query OK, 0 rows affected (0.04 sec)
Mysql [localhost] {root} (none)> grant all on *. * to ceri @ localhost;
Query OK, 0 rows affected (0.03 sec)

Unfortunately, when I try to connect through this new user, a familiar result-although interestingly, a new error message!

$./Use-uceri
ERROR 2000 (HY000): Unknown MySQL error

By using the 5.7 client (a handshake error), we can see the expected error message:

$ ~ /Opt/mysql/mysql_5.7.20/bin/mysql -- defaults-file =./my. sandbox. cnf-uceri
ERROR 2012 (HY000): Error in server handshake

Although there are many significant improvements and new features in MySQL 8.0.4 RC, any system using the auth_socket plug-in needs to ensure that they forcibly use default_authentication_plugin = mysql_native_password -- at least for now.

MySQL 8.0.4 RC released, with many highlights

This article permanently updates the link address: