Plaintext passwords - Githubissues

sysown / proxysql

High-performance MySQL proxy with a GPL license.

http://www.proxysql.com

GNU General Public License v3.0

6.06k stars 983 forks source link

Plaintext passwords #4471

Closed pipozzz closed 6 months ago

pipozzz commented 8 months ago

Hello, after migration to v2.6.0 are new created passwords stored in proxysql in plaintext only, since mysql 8 they have PASSWORD function deprecated, what is the best practise for generation and storing hashed passwords in proxysql? I didn't find this info in proxysql doc.

Thanks.

JavierJF commented 8 months ago

Hi @pipozzz,

thanks for the report, the documentation has been updated to reflect which one is the recommended procedure for importing MySQL 8 caching_sha2_passwords into ProxySQL, you can further read about it here:

https://proxysql.com/documentation/password-management/#import-caching_sha2_passwords

The page has been refreshed with further information about other passwords and recent deprecations. For further reading about the supported authentication methods and recent changes you can also refer to:

Hope this helps to solve your questions, I will leave this issue open in case the provided information requires further clarifications. Thanks!

pipozzz commented 8 months ago

Thank you very much for quick response. It helps a lot.

But I have additional question: Do you know some way for generation of this hash for password programatically ? e.g. in python, etc. I'm just looking for format/algorithm so I could generate it without touching/connecting to backend mysql server.

Thanks a lot !

renecannao commented 8 months ago

@JavierJF : just a though, maybe we can add a new function in SQLite for this. Maybe 2 functions, one for mysql_native_password and one for caching_sha2_password

JavierJF commented 8 months ago

Hi @pipozzz,

just to let you know that we have implemented the two functions in SQLite3 for ProxySQL, so, they will be available from the Admin interface. The details are in this PR which is still WIP. So, there will be a programmatic way to generating the hashes from ProxySQL itself, without relying in MySQL. The passwords stored in MySQL can also be replicated using these functions, without requiring access to MySQL if you know the following:

mysql_native_password: The clear text password.
caching_sha2_password: The clear text password and the salt used by MySQL for generating the password, you can see details on how to do that in the PR description.

pipozzz commented 8 months ago

Great! thanks a lot, I'll try it then

JavierJF commented 6 months ago

Since this was already released, and the documentation updated, I'm closing this issue. Thanks!