The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

MySQL 5.0 / 5.1 and doing away with "old style passwords"

Discussion in 'General Discussion' started by mtindor, Feb 14, 2012.

  1. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I've got a server running MySQL 5.1 that, when I upgraded it in the past, I left the Tweak Settings --> Use pre-4.1-style MySQL® passwords option turned on. And in my /etc/my.cnf on that servers I have old-passwords=1

    I can see that all of the users in mysql.users have 16-byte passwords. Obviously I'm wanting 41-byte passwords.

    What is the best / proper / suggested way to go about switching to the new password style on a cPanel server with many accounts [and sql users]?

    When you untick Tweak Settings --> Use pre-4.1-style MySQL® passwords, what exactly does cPanel do at that point?

    Mike
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    My Password field in mysql.user is already char(41). If I remove old-passwords=1 from /etc/my.cnf and restart MySQL, everything seems to run fine.

    If I go into Tweak Settings and unselect Use pre-4.1-style MySQL® passwords, what exactly will this do? I haven't yet figured out what changes this will make.

    Mike
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    When enabled, this option adds the following entry to the /etc/my.cnf file on the machine:

    Code:
    old-passwords = 1
    Disabling the option will simply remove that line.

    Thank you.
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Easy enough. Looks like I'm good with MySQL then.

    Thanks Michael,

    Mike
     
  5. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I'm trying to prepare for a move to PHP 5.3.

    Currently I'm running MySQL 5.1.56
    * not using old-passwords=1 (I removed this and restarted MySQL)
    * mysql.user has a password field length of 41 bytes long
    * password hashes currently in the table are 16 bytes long
    * only the test accounts I manually changed passwords on afterwards have 41-byte password hashes

    In order to migrate to PHP 5.3, do I need to manually go through and change the password of each user in mysql.user so that it has a 41-byte password hash? I know it's a good idea. It'd be a pain to manually go through each one of those, especially when many of the users are additional MySQL users created by various accountholders.

    If the actual _stored_ hash must be 41-bytes in order to work in PHP 5.3, is there an "easy" way to "convert" the 16-byte hashes into 41-byte hashes

    Mike
     
  6. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I believe you are correct in your assessment, Mike. The presence of old-passwords = 1 allows the old style password hashing to be used during client authentication with MySQL. Removing that setting will cause authentication failures.

    To resolve this you'll need all users to reset their passwords, now that you old-passwords = 1 removed from /etc/my.cnf.

    There is no easy way to convert from the old hash to the new one. Unless you do something like crack all the old passwords (I'm not recommending that). If you know the passwords, you could script the change.
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Kenneth,

    Thanks. I did manage to disable old-passwords=1 and manually change 90% of the main MySQL user accounts and subaccounts on my servers. Of course, four days later I had a customer complaining bout not being able to log into their custom application -- which as it turns out is using old style passwords and password() for authentication in their scripts. I ended up adding old-passwords=1 back to that server. Of course I educated the customer about doing something about their ancient custom script and forewarned them that next week I'd remove old-passwords=1 again.

    At any rate, I wish I would have read more about PHP 5.3 and mysqlnd -- specifically the part about short passwords only being a problem if you are using the mysqlnd driver. As long as I don't use mysqlnd, I don't have to get all passwords converted to 41-byte hashes before I upgrade to PHP 5.3.

    M
     
Loading...

Share This Page