Opened 11 years ago

Closed 8 years ago

#136 closed defect (fixed)

PHP 5.3 mysqlnd requires new-style passwords

Reported by: geofft Owned by:
Priority: blocker Milestone: Fedora 20
Component: sql Keywords:
Cc:

Description (last modified by andersk)

The sql.mit.edu servers currently have old_passwords=1 set in the mysqld configuration for compatibility with MySQL 3.x and 4.x clients. The MySQL native driver in PHP 5.3 only knows how to deal with new-style passwords; this will probably bite us hard when we move to PHP 5.3 as part of upgrading to Fedora 13.

We'll need to either figure out if we can do the backward-compatible but insecure hack of making PHP clients able to use old-style passwords (disable the native driver? patch it?), or if we can drop support for MySQL clients that don't support new-style passwords, i.e., 4.0.x and below.

Change History (9)

comment:1 Changed 11 years ago by mitchb

  • Priority changed from blocker to minor

Fortunately for us, the F13 packages have not begun to build with the option that enables mysqlnd for any of the mysql, mysqli, or pdo-mysql extensions. As a result, they all still use the libmysql client library, which supports both types of passwords (as well as such niceties as SSL). So, while sql and scripts should probably figure out whether/when we can discontinue keeping the less secure compatibility passwords around, this doesn't pose an issue for the F13 upgrade.

comment:2 Changed 11 years ago by andersk

  • Description modified (diff)

comment:3 Changed 10 years ago by andersk

As far as I can see, we can just do this. The only reason we couldn’t just do this would be if someone was still using libmysqlclient 4.0.x or earlier against sql.mit.edu. MySQL 4.1 was certified production-ready in October 2004, and MySQL 4.0.x reached end-of-life on December 31, 2008. The current scripts servers have libmysqlclient 5.1.56.

comment:4 Changed 10 years ago by ezyang

  • Milestone set to Fedora 17

No change for Fedora 15, so we can punt it another year if we really wanted to...

comment:5 Changed 9 years ago by ezyang

  • Priority changed from minor to normal

comment:6 Changed 9 years ago by ezyang

  • Milestone changed from Fedora 17 to Fedora 19

mysqlnd is a subpackage in Fedora 16+, but you don't have to use it, so we can punt this issue again.

comment:7 Changed 8 years ago by achernya

  • Priority changed from normal to blocker

After years of delay, the changeover finally strikes. There's no php-mysql, only a php-mysqlnd in F19.

comment:8 Changed 8 years ago by quentin

Note that we will need to rehash passwords on sql.mit.edu before we can authenticate with mysqlnd, even after we change the flag to allow new-style passwords.

comment:9 Changed 8 years ago by achernya

  • Resolution set to fixed
  • Status changed from new to closed

Passwords have been rehashed.

Note: See TracTickets for help on using tickets.