利用login-path对MySQL安全加固

 

Preface

 

    Connection security is  one of the most important safety strategies which we should consider.It's not a good manner using plaintext password in my.cnf file when connecting mysql server by client.What can we do more safely?

 

Introduce

 

    MySQL provide a method called "login-path" which permits merely using parameter "--login-path" to login MySQL server since 5.6 version.Notice,login-path depends on program "mysql_config_editor" which belongs to MySQL main program most probably in "/usr/local/mysql/bin" directory.First of all,we need to set a login path name(also a group name) with it,then the ".mylogin.cnf" will be created which contains user,password,host,port,socket and so forth.The password in ".mylogin.conf" file is shown as asterisks(eg. password=*****).Afterward,MySQL client will have a safer authentication credentials in loging MySQL servers.

 

Procedure

 

example

 

usage

 mysql_config_editor [program options] [command [command options]]

Parameter

  -#, --debug[=#]     This is a non-debug version. Catch this and exit.
   -?, --help          Display this help and exit.
   -v, --verbose       Write more information.
   -V, --version       Output version information and exit.

 Variables (--variable-name=value)
 and boolean options {FALSE|TRUE}  Value (after reading options)
 --------------------------------- ----------------------------------------
 verbose                           FALSE

 Where command can be any one of the following :
        set [command options]     Sets user name/password/host name/socket/port
                                  for a given login path (section).
        remove [command options]  Remove a login path from the login file.
        print [command options]   Print all the options for a specified
                                  login path.
        reset [command options]   Deletes the contents of the login file.
        help                      Display this usage/help information.

Create a login path named "3306".

 [root@zlm1 :: ~]
 #mysql_config_editor set --login-path= -h127.0.0. -P3306 -uroot -p
 Enter password: 

 [root@zlm1 :: ~]
 #

Check the contents of login path.

 [root@zlm1 :: ~]
 #mysql_config_editor print --all
 []
 user = root
 password = ***** -- Here is several asterisks instead of plaintest password.
 host = 127.0.0.1
 port = 

Check the config file in user home directory.

 [root@zlm1 :: ~]
 #ls -la|grep mylogin.cnf
 -rw-------    root root       Jun  : .mylogin.cnf

 [root@zlm1 :: ~]
 #cat .mylogin.cnf -- All the contents in ".mylogin.cnf" file have been encrypted.

 ᑸ¨ƒˆK›巧-#[q- ¨ÿœ‰·t㼝«ɽ(žϿ欕鋳쾋  q̓‰أ&¸ۑ Sن}uj—–
                                                           ņZP‰ַ©ս¬ʨh±
 [root@zlm1 :: ~]
 #Xshell

Connect Server with client program by login path.

 [root@zlm1 :: ~]
 #mysql --login-path=
 Welcome to the MySQL monitor.  Commands end with ; or \g.
 Your MySQL connection id is
 Server version: 5.7.-log MySQL Community Server (GPL)

 Copyright (c) , , Oracle and/or its affiliates. All rights reserved.

 Oracle is a registered trademark of Oracle Corporation and/or its
 affiliates. Other names may be trademarks of their respective
 owners.

 Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

 root@127.0.0.1: [(none)]>

Connect Server with client program by login path.

 [root@zlm1 :: ~]
 #mysql --login-path=#
 ERROR  (): Access denied for user 'root'@'localhost' (using password: NO)

 [root@zlm1 :: ~]
 #mysql_config_editor --print all
 mysql_config_editor: [ERROR] unknown option '--print'

 [root@zlm1 :: ~]
 #mysql_config_editor print --all
 []
 user = root
 password = *****
 host = 127.0.0.1
 port =
 [#]
 user = root
 password = *****
 host = 127.0.0.1
 port = 

 Remove a login path.

 [root@zlm1 :: ~]
 #mysql_config_editor remove --login-path=#

 [root@zlm1 :: ~]
 #mysql_config_editor print --all
 []
 user = root
 password = *****
 host = 127.0.0.1
 port = 

 It's not supported using special character such as "#","￥",“%”,etc.

 [root@zlm1 :: ~]
 #mysql_config_editor set --login-path=# -h127.0.0. -P3306 -uroot -p###
 mysql_config_editor: [ERROR] mysql_config_editor: unknown option '-#'

 [root@zlm1 :: ~]
 #mysql_config_editor set --login-path=# -h127.0.0. -P3306 -uroot -p$$$
 mysql_config_editor: [ERROR] mysql_config_editor: unknown option '-3'

 [root@zlm1 :: ~]
 #mysql_config_editor set --login-path=# -h127.0.0. -P3306 -uroot -p%%%
 mysql_config_editor: [ERROR] mysql_config_editor: unknown option '-%'

 Summay

• I'm afraid login-path is a safer method in logining MySQL.
  
• Notice that characters of password must be confirmed to the MySQL password rules.
  
• In the past,we usually put those parameters(host,port,user,password,etc.) in /etc/my.cnf to void repeated words typing,but it's realy not safe.