Virtualmin inserts into mysql.user, causing issues with password hashing method

Rather than using an SQL CREATE USER query, Virtualmin uses insert into user (with the mysql database active) when creating a user for a Virtualmin-managed database for a virtual server. This bypasses the default_authentication_plugin setting in the MySQL 8 config, and therefore using the caching_sha2_password password hashing method instead of the server admin's mysql_native_password override. (Running CREATE USER manually uses the admin-specified password hashing method.)

The error that older clients (e.g. PHP prior to v7.4) get when attempting to connect to a Virtualmin-created database is "The server requested authentication method unknown to the client".

I'm running Virtualmin version 6.08.gpl on Ubuntu Linux 18.04.3 .

Status: 
Fixed (pending)

Comments

Ilia's picture
Submitted by Ilia on Wed, 06/03/2020 - 10:19

Hi,

Thanks for the heads up.

I'm running Virtualmin version 6.08.gpl

First of all, you must upgrade to Virtualmin 6.09-3.

Note: If you don't see an update, check your /etc/apt/sources.list and that it actually have correct links set for Virtualmin, which are software.virtualmin.com/vm/6/apt .

Additionally, you could apply the patch that fixes some other MySQL related issues by running the following commands:

 
curl https://raw.githubusercontent.com/virtualmin/virtualmin-gpl/master/feature-mysql.pl -o /usr/share/webmin/virtual-server/feature-mysql.pl
/etc/webmin/restart

Hello. Thanks for the speedy response. I am now running Virtualmin version 6.09.gpl on Ubuntu Linux 18.04.3 .

I've reviewed the patch that you sent and it doesn't contain a fix for this issue. Specifically, there were some unrelated fixes to do with MariaDB and for "remote mysql modules".

Specifically, unlike for MariaDB which uses the correct create user statement, all MySQL-related code (regardless of version) inserts into mysql.user. All that differs between MySQL versions is which columns are inserted. CREATE USER is available in MySQL v5.0.2 and later, so I wonder if there is a reason why it is not used given that it is standard?