MySQL Client Hash Authentication Patch
Previous chapters have alluded to the possibility of patching your MySQL command-line client to allow authentication using the password hash, rather than the password. This section describes how to apply a quick and dirty patch to the MySQL client source code to achieve this.
Note that following these directions will result in a MySQL client utility that can use only password hashes to authenticate — you won't be able to use the password!
These directions relate to the MySQL 4.0.x source tree, but should work with other, pre-4.1 versions. The client that ships with version 4.1 can be modified to allow this kind of authentication in a similar way, although the legacy and current authentication protocol code is split.
To apply the patch, in the file password.c in ibmysql, add the following function (save a backup of the file first!):
void get_hash(ulong *result, const char *password)
{
if( strlen( password ) != 16 )
return;
sscanf( password, "%08lx%08lx", &(result[0]), &(result[1]) );
return;
}
Now alter the scramble function by commenting out the line
hash_password(hash_pass,password);
Insert after the (now commented out) line
get_hash(hash_pass,password);
The start of your scramble function should now look like this:
char *scramble(char *to,const char *message,const char *password, my_bool old_ver) { struct rand_struct rand_st; ulong hash_pass[2],hash_message[2]; if (password && password[0]) { char *to_start=to; // hash_password(hash_pass,password); ...Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
