MySQL 5.0 / 5.1 and doing away with "old style passwords"

[mtindor]

I've got a server running MySQL 5.1 that, when I upgraded it in the past, I left the Tweak Settings --> Use pre-4.1-style MySQL® passwords option turned on. And in my /etc/my.cnf on that servers I have old-passwords=1

I can see that all of the users in mysql.users have 16-byte passwords. Obviously I'm wanting 41-byte passwords.

What is the best / proper / suggested way to go about switching to the new password style on a cPanel server with many accounts [and sql users]?

When you untick Tweak Settings --> Use pre-4.1-style MySQL® passwords, what exactly does cPanel do at that point?

Mike

 

[mtindor]

My Password field in mysql.user is already char(41). If I remove old-passwords=1 from /etc/my.cnf and restart MySQL, everything seems to run fine.

If I go into Tweak Settings and unselect Use pre-4.1-style MySQL® passwords, what exactly will this do? I haven't yet figured out what changes this will make.

Mike

 

[cPanelMichael]

Hello

When enabled, this option adds the following entry to the /etc/my.cnf file on the machine:

old-passwords = 1

Disabling the option will simply remove that line.

Thank you.

 

[mtindor]

Easy enough. Looks like I'm good with MySQL then.

Thanks Michael,

Mike

 

[mtindor]

I'm trying to prepare for a move to PHP 5.3.

Currently I'm running MySQL 5.1.56
* not using old-passwords=1 (I removed this and restarted MySQL)
* mysql.user has a password field length of 41 bytes long
* password hashes currently in the table are 16 bytes long
* only the test accounts I manually changed passwords on afterwards have 41-byte password hashes

In order to migrate to PHP 5.3, do I need to manually go through and change the password of each user in mysql.user so that it has a 41-byte password hash? I know it's a good idea. It'd be a pain to manually go through each one of those, especially when many of the users are additional MySQL users created by various accountholders.

If the actual _stored_ hash must be 41-bytes in order to work in PHP 5.3, is there an "easy" way to "convert" the 16-byte hashes into 41-byte hashes

Mike

 

[cPanelKenneth]

I believe you are correct in your assessment, Mike. The presence of old-passwords = 1 allows the old style password hashing to be used during client authentication with MySQL. Removing that setting will cause authentication failures.

To resolve this you'll need all users to reset their passwords, now that you old-passwords = 1 removed from /etc/my.cnf.

There is no easy way to convert from the old hash to the new one. Unless you do something like crack all the old passwords (I'm not recommending that). If you know the passwords, you could script the change.

 

[mtindor]

Kenneth,

Thanks. I did manage to disable old-passwords=1 and manually change 90% of the main MySQL user accounts and subaccounts on my servers. Of course, four days later I had a customer complaining bout not being able to log into their custom application -- which as it turns out is using old style passwords and password() for authentication in their scripts. I ended up adding old-passwords=1 back to that server. Of course I educated the customer about doing something about their ancient custom script and forewarned them that next week I'd remove old-passwords=1 again.

At any rate, I wish I would have read more about PHP 5.3 and mysqlnd -- specifically the part about short passwords only being a problem if you are using the mysqlnd driver. As long as I don't use mysqlnd, I don't have to get all passwords converted to 41-byte hashes before I upgrade to PHP 5.3.

M