New feature: Pluggable authentication

ansgar posted 7 years ago in News
Starting with MySQL 5.5.7 or MariaDB 5.2, the server allows the client to authenticate via plugin. HeidiSQL now fully supports establishing such connections, by providing an exported method called mysql_authentication_dialog_ask, which is automatically invvoked by libmysql.dll, if the server says so during the connection handshake.

Curious how that works? Here's a simple example:

1. Be sure to have the "plugins" directory in C:\Program files\HeidiSQL\, and the dialog.dll. This is done automatically when installing a newer beta build from the download page.

2. On your server, install the plugin "dialog.dll":
INSTALL PLUGIN three_attempts SONAME 'dialog.dll';

3. On your server, create a new user which authenticates via this plugin:
CREATE USER test_dialog IDENTIFIED VIA three_attempts USING 'SECRET';

4. That's it. Start HeidiSQL and try to connect with a wrong or empty password. libmysql calls Heidi's mysql_authentication_dialog_ask method which pops up the following dialog:

See also:
* MariaDB knowledge base article on pluggable authentication
* MariaDB: Improve Security with Two-Step Verification, an article by Sergei.
1 attachment(s):
  • pluggauth
guidobora posted 7 years ago
Dear anse
I tried to install plugin following the above procedures but I had the following error:
mysql> INSTALL PLUGIN three_attempts SONAME 'dialog.dll';
ERROR 1126 (HY000): Can't open shared library 'C:\Programmi\MySQL\MySQL Server 5
.5\lib/plugin/dialog.dll' (errno: 2 )
What went wrong? thanks in advance
jfalch posted 7 years ago
I am not entirely certain; but it appears that the plugin three_attempts is really situated in the _servers_ lib\plugin\auth.dll with the mysql 5.5.20-win32 community download; thus, INSTALL PLUGIN three_attempts SONAME 'auth.dll' should succeed with MySQL 5.5 (cannnot test this mysqlf, sorry.)

Also, there is no dialog.dll in this download; this is probably the _client_ extension that exists in Heidisql\plugins\ for libmysql/heidisql to successfully respond to a plugin based login attempt, but is not sufficent if the corresponding server plugin is not loaded.

No such plugin dll currently seems to exist in the mariadb-5.3.3-win32 server download.
ansgar posted 7 years ago
I read that mariadb and mysql plugins are not binary compatible, so my above example will only work on mariadb 5.2.10 and newer.
jfalch posted 7 years ago
I rather think that the current mysql and mariadb docs are not correct in this point. INSTALL PLUGIN yyy SONAME 'xxx' tells the server that the plugin yyy is to be found in the dynamic link library xxx, which (without path specified) must be in the servers lib/plugin directory. Unless a file named xxx really exist in this dir, you should get an error message "file not found", and this is indeed what I get with MariaDb 5.3.3 when I execute INSTALL PLUGIN three_attempts SONAME 'dialog.dll', since there exists no file named dialog.dll in MariaDB´s lib/plugin/ directory (download as of today)... should this be some kind of magic where using a non-existig file of a certain name indicates "builtin" or such ? In this case I have failed to comprehend this trick...
jfalch posted 7 years ago
oops. I just found that the MariaDB 5.2.10 release DOES contain a lib/plugin/dialog.dll which contains the plugins three_attempts and two_questions; 5.3.3 does not, for whatever reason. Sorry for that.
guidobora posted 7 years ago
I installed MariaDB 5.2.10 and it works fine. thanks to all

Please login to leave a reply, or register at first.