maria-developers team mailing list archive

Thread
Date

Re: 82d7e2094c8: MDEV-7598 Lock user after too many password errors

To: wlad@xxxxxxxxxxx
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Tue, 8 Jan 2019 21:05:56 +0100
Cc: maria-developers@xxxxxxxxxxxxxxxxxxx
In-reply-to: <006801d4a76d$76194b30$624be190$@mariadb.com>
User-agent: Mutt/1.7.2 (2016-11-26)

Hi, Wlad!

On Jan 08, wlad@xxxxxxxxxxx wrote:
> 
> > 1. Space before "Value"
> > 2. Why 0 disables blocking? max_connect_errors doesn't have a
> > special 0 value.
> 
> Alright, I removed a special value 0 , and made 1 the minimal value,
> like max_connect_errors does, so it does not appear different from
> anything else and does not create any confusion, but let me explain
> the original intention, which was
> 
> 1. Zero performance overhead, if the option is not used.
> Without special value , there will be overhead in case of invalid
> password - extra scanning of the acl_users array (under mutex
> protection).
> 
> 2. No side-effects, if the option is not used. Technically, even if
> unlikely, if someone supplies 4294967295 of invalid passwords in a
> row, the account will be locked. It only takes 50 days, if connection
> attempt is made every millisecond.
> With special value account won't be blocked.

You could make 4294967295 a special value. It'll provide this
zero-overhead. It won't block after 4294967295 invalid passwords, but I
think it's not a big deal :)

> > > @@ -13305,6 +13370,8 @@ bool acl_authenticate(THD *thd, uint
> > com_change_user_pkt_len)
> > >        break;
> > >      case CR_AUTH_USER_CREDENTIALS:
> > >        errors.m_authentication= 1;
> > > +      if (thd->password && max_password_errors)
> > 
> > add && !mpvio->make_it_fail here (see how make_it_fail is set).
> 
> I added the condition, even if so far this condition is obsolete.
> mpvio->make_it_fail only produces CR_ERROR, not
> CR_AUTH_USER_CREDENTIALS.

No, mpvio->make_it_fail produces CR_ERROR if the authentication has
otherwise succeeded. Most probably mpvio->make_it_fail will produce
CR_AUTH_USER_CREDENTIALS. Because mpvio->make_it_fail means "pick some
random (kind of) user from the acl_users list and try to authenticate as
that user". Unless you've guessed the password of this random user,
you'll get CR_AUTH_USER_CREDENTIALS.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx

References

Re: 82d7e2094c8: MDEV-7598 Lock user after too many password errors
From: Sergei Golubchik, 2019-01-04
Re: 82d7e2094c8: MDEV-7598 Lock user after too many password errors
From: wlad, 2019-01-08