Community request: audit the PARSEC plugin
Hi all, There is a new authentication plugin called PARSEC that is set to become the default authentication plugin in MariaDB soon (MDEV-32618 and MDEV-12320). The current documentation for it can be found here: https://mariadb.com/kb/en/authentication-plugin-parsec/ I personally think that using a single salt and sending it to the client could be a problem. I do not work in the security industry and the documentation has a few errors in it and pieces missing, so I'm unclear how certain things work. I think the ext-salt requirements will likely add complications to load balancing scenarios and replication. This is a request for anyone in the community to please audit this plugin before it becomes the default. Once it is the default, it will be difficult to change it. Kind Regards -- Andrew (LinuxJedi) Hutchings Chief Contributions Officer MariaDB Foundation
An update... There have been discussions in the background around this. I would have preferred them to be in the public, MariaDB Server development still has things to improve there. But... Part of the confusion over the the plugin was due to documentation issues. This has been slightly improved since then. I will say that I'm more confident that this plugin is the right direction. That said, the documentation still needs work, and the plugin should still be externally audited. There is working going into making these things happen. There are also some minor things that need to be corrected in code. The effort to make this the default it also delayed until a lot more testing can be done against third-party connectors to make sure no regressions happen. That being said, please test (and break if you can) this plugin! We want to make this the best authentication plugin that we can. Kind Regards Andrew On 14/10/2024 15:08, Andrew Hutchings wrote:
Hi all,
There is a new authentication plugin called PARSEC that is set to become the default authentication plugin in MariaDB soon (MDEV-32618 and MDEV-12320).
The current documentation for it can be found here:
https://mariadb.com/kb/en/authentication-plugin-parsec/
I personally think that using a single salt and sending it to the client could be a problem. I do not work in the security industry and the documentation has a few errors in it and pieces missing, so I'm unclear how certain things work.
I think the ext-salt requirements will likely add complications to load balancing scenarios and replication.
This is a request for anyone in the community to please audit this plugin before it becomes the default. Once it is the default, it will be difficult to change it.
Kind Regards
-- Andrew (LinuxJedi) Hutchings Chief Contributions Officer MariaDB Foundation
Currently, no third-party connectors support PARSEC, which is understandable since we haven’t made any efforts to publicize it. Therefore, there’s no need to test PARSEC against third-party connectors at this stage, as the outcome is already predictable. These third-party connectors include PHP, Connector/NET, MySQL Connector/JS, MySQL Python, Node.js, and several Go drivers. In my opinion, it will take a long time before a new authentication method can become the default, especially since mainstream languages and popular drivers are not yet aware of it. Example of poor user experience is the rollout of MySQL 8.0's new authentication method, which was introduced before the community was fully prepared. This Stack Overflow thread https://stackoverflow.com/questions/49194719/authentication-plugin-caching-s... has 1.1 million views, highlighting the widespread confusion. In specific environments where all components, including the GUI applications, are guaranteed to come from MariaDB, switching to the new default authentication method could happen sooner. However, in most cases, a more gradual approach is necessary. ________________________________________ From: Andrew Hutchings via developers <developers@lists.mariadb.org> Sent: Wednesday, October 16, 2024 11:46 AM To: MariaDB developers <developers@lists.mariadb.org> Subject: [MariaDB developers] Re: Community request: audit the PARSEC plugin An update... There have been discussions in the background around this. I would have preferred them to be in the public, MariaDB Server development still has things to improve there. But... Part of the confusion over the the plugin was due to documentation issues. This has been slightly improved since then. I will say that I'm more confident that this plugin is the right direction. That said, the documentation still needs work, and the plugin should still be externally audited. There is working going into making these things happen. There are also some minor things that need to be corrected in code. The effort to make this the default it also delayed until a lot more testing can be done against third-party connectors to make sure no regressions happen. That being said, please test (and break if you can) this plugin! We want to make this the best authentication plugin that we can. Kind Regards Andrew On 14/10/2024 15:08, Andrew Hutchings wrote:
Hi all,
There is a new authentication plugin called PARSEC that is set to become the default authentication plugin in MariaDB soon (MDEV-32618 and MDEV-12320).
The current documentation for it can be found here:
https://mariadb.com/kb/en/authentication-plugin-parsec/
I personally think that using a single salt and sending it to the client could be a problem. I do not work in the security industry and the documentation has a few errors in it and pieces missing, so I'm unclear how certain things work.
I think the ext-salt requirements will likely add complications to load balancing scenarios and replication.
This is a request for anyone in the community to please audit this plugin before it becomes the default. Once it is the default, it will be difficult to change it.
Kind Regards
-- Andrew (LinuxJedi) Hutchings Chief Contributions Officer MariaDB Foundation _______________________________________________ developers mailing list -- developers@lists.mariadb.org To unsubscribe send an email to developers-leave@lists.mariadb.org
participants (2)
-
Andrew Hutchings -
Vladislav Vaintroub