MariaDB 10.3 password check incorrect.

[plutocrat]

Getting odd results with a MariaDB database. Some accounts are flagged as having no password, when in reality ALL of them do.

[!!] User 'xxxxxxxxxxxxxx@localhost' has no password set.
[!!] User 'yyyyyyyyyyyyyy@localhost' has no password set.
[!!] User 'mysql.sys@localhost' has no password set.
[!!] User 'root@localhost' has no password set.
[!!] User 'roundcubedb@localhost' has no password set.

$: mysql -e "SELECT User,Password,Host,authentication_string,account_locked FROM mysql.user;"

+------------------+-------------------------------------------+-----------+-----------------------+----------------+
| User             | Password                                  | Host      | authentication_string | account_locked |
+------------------+-------------------------------------------+-----------+-----------------------+----------------+
| root             | *10A70C84--------------------3C06BF639541 | localhost |                       | N              |
| mysql.sys        | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | localhost |                       | Y              |
| debian-sys-maint | *F7D1D195----------------------527B55B421 | localhost |                       | N              |
| roundcubedb      | *FE4A05113E4CA2F-------------------F7DBE2 | localhost |                       | N              |
| wwwwwwwwwwwwwwww | *A8D56850--------------------ECBF06E18A45 | localhost |                       | N              |
| yyyyyyyyyyyyyy   | *CE13249304----------------AC336872349866 | localhost |                       | N              |
| xxxxxxxxxxxxxx   | *5A7259BBA-----------------658762504ADE6E | localhost |                       | N              |
| zzzzzzzzzz       | *84C------------------------------184DE85 | localhost |                       | N              |
| UUUUUUUUUUUUU    | *99FA75---------------------------5734658 | localhost |                       | N              |
| VVVVVVVVVVVVVV   | *0A1444--------------------84DF64DC404C51 | localhost |                       | N              |
| TTTTTTTTT        | *46C993--------------------D6CA74B059AA09 | localhost |                       | N              |
+------------------+-------------------------------------------+-----------+-----------------------+----------------+

[plutocrat]

Oh, more info. For the 5 accounts with false positive, the plugin field is set to ="mysql_native_password"
So that probably explains why those 5 are differentiated. It doesn't explain why the password isn't detected in the Password field.

[plutocrat]

From MariaDB website
"When the plugin column is empty, MariaDB defaults to authenticating accounts with either the mysql_native_password or the mysql_old_password plugins. It decides which based on the hash used in the value for the Password column. When there's no password set or when the 4.1 password hash is used, (which is 41 characters long), MariaDB uses the mysql_native_password plugin. The mysql_old_password plugin is used with pre-4.1 password hashes, (which are 16 characters long).

MariaDB also supports the use of alternative authentication plugins. When the plugin column is not empty for the given account, MariaDB uses it to authenticate connection attempts. The specific plugin then uses the value of either the Password column or the authentication_string column to authenticate the user."

[danielmarschall]

Does this solve your problem ? #412

[jmrenouard]

Hi,
I fix #412 can you give us your feedback around this issue ?

[jmrenouard]

Checks password is ok for me on mysqltuner 1.7.17