7.1 Disable use of the mysql_old_password plugin

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The mysql_old_password plugin uses a cracked password routine with several flaws. It is present but not used by default in MariaDB. Steps should be taken to ensure that passwords will not be created with this plugin and that clients will not be able to authenticate to the MariaDB server using this plugin.

The old_passwords system variable controls whether MariaDB server uses the mysql_old_password plugin (instead of the stronger mysql_native_password plugin) when creating passwords. The secure_auth system variable, when enabled, will block client connections that utilize the mysql_old_password plugin.

Rationale:

Use of the mysql_old_password plugin risks disclosure of users' passwords and also permits Pass-the-Hash attacks.

Solution

If old_passwords was ON, add the following line to the [mariadbd] section in mariadb.cnf:

old_passwords=0

If secure_auth was OFF, add the following line to the [mariadbd] section in mariadb.cnf:

secure_auth=ON

Restart MariaDB.

Default Value:

old_passwords is OFF by default. secure_auth is ON by default.

See Also

https://workbench.cisecurity.org/benchmarks/12270