利用login金沙官网线上-path对MySQL安全加固

 

Preface

 

    Connection security is  one of the most important safety strategies which we should consider.It's not a good manner using plaintext password in my.cnf file when connecting mysql server by client.What can we do more safely?

 

Introduce

 

    MySQL provide a method called "login-path" which permits merely using parameter "--login-path" to login MySQL server since 5.6 version.Notice,login-path depends on program "mysql_config_editor" which belongs to MySQL main program most probably in "/usr/local/mysql/bin" directory.First of all,we need to set a login path name(also a group name) with it,then the ".mylogin.cnf" will be created which contains user,password,host,port,socket and so forth.The password in ".mylogin.conf" file is shown as asterisks(eg. password=****).Afterward,MySQL client will have a safer authentication credentials in loging MySQL servers.*

 

Procedure

 

example

 

usage

1 mysql_config_editor [program options] [command [command options]]

 

Parameter

 1  -#, --debug[=#]     This is a non-debug version. Catch this and exit.
 2   -?, --help          Display this help and exit.
 3   -v, --verbose       Write more information.
 4   -V, --version       Output version information and exit.
 5 
 6 Variables (--variable-name=value)
 7 and boolean options {FALSE|TRUE}  Value (after reading options)
 8 --------------------------------- ----------------------------------------
 9 verbose                           FALSE
10 
11 Where command can be any one of the following :
12        set [command options]     Sets user name/password/host name/socket/port
13                                  for a given login path (section).
14        remove [command options]  Remove a login path from the login file.
15        print [command options]   Print all the options for a specified
16                                  login path.
17        reset [command options]   Deletes the contents of the login file.
18        help                      Display this usage/help information.

 

Create a login path named "3306".

1 [root@zlm1 19:17:01 ~]
2 #mysql_config_editor set --login-path=3306 -h127.0.0.1 -P3306 -uroot -p
3 Enter password: 
4 
5 [root@zlm1 19:18:21 ~]
6 #

 

Check the contents of login path.

1 [root@zlm1 19:18:32 ~]
2 #mysql_config_editor print --all
3 [3306]
4 user = root
5 password = ***** -- Here is several asterisks instead of plaintest password.
6 host = 127.0.0.1
7 port = 3306

 

Check the config file in user home directory.

 1 [root@zlm1 19:19:46 ~]
 2 #ls -la|grep mylogin.cnf
 3 -rw-------   1 root root      156 Jun 27 19:18 .mylogin.cnf
 4 
 5 [root@zlm1 19:20:05 ~]
 6 #cat .mylogin.cnf -- All the contents in ".mylogin.cnf" file have been encrypted.
 7   
 8    
 9       ᑸ¨ƒˆK›巧- 2#[q- ¨ÿœ‰·t㼝«ɽ(žϿ欕鋳쾋  q ̓ ‰أ&¸ۑ Sن}uj—– 
10                                                           ņZP‰ ַ1©ս¬ʨh±8
11 [root@zlm1 19:20:16 ~]
12 #Xshell

 

Connect Server with client program by login path.

 1 [root@zlm1 19:21:28 ~]
 2 #mysql --login-path=3306
 3 Welcome to the MySQL monitor.  Commands end with ; or g.
 4 Your MySQL connection id is 18
 5 Server version: 5.7.21-log MySQL Community Server (GPL)
 6 
 7 Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
 8 
 9 Oracle is a registered trademark of Oracle Corporation and/or its
10 affiliates. Other names may be trademarks of their respective
11 owners.
12 
13 Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
14 
15 root@127.0.0.1:3306 [(none)]>

 

Connect Server with client program by login path.

 

 1 [root@zlm1 19:24:07 ~]
 2 #mysql --login-path=#
 3 ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
 4 
 5 [root@zlm1 19:24:17 ~]
 6 #mysql_config_editor --print all
 7 mysql_config_editor: [ERROR] unknown option '--print'
 8 
 9 [root@zlm1 19:24:44 ~]
10 #mysql_config_editor print --all
11 [3306]
12 user = root
13 password = *****
14 host = 127.0.0.1
15 port = 3306
16 [#]
17 user = root
18 password = *****
19 host = 127.0.0.1
20 port = 3306

 

 Remove a login path.

 

 1 [root@zlm1 19:25:12 ~]
 2 #mysql_config_editor remove --login-path=#
 3 
 4 [root@zlm1 19:27:09 ~]
 5 #mysql_config_editor print --all
 6 [3306]
 7 user = root
 8 password = *****
 9 host = 127.0.0.1
10 port = 3306

 

 It's not supported using special character such as "#","¥",“%”,etc.

 

 1 [root@zlm1 19:47:13 ~]
 2 #mysql_config_editor set --login-path=# -h127.0.0.1 -P3306 -uroot -p###
 3 mysql_config_editor: [ERROR] mysql_config_editor: unknown option '-#'
 4 
 5 [root@zlm1 19:49:10 ~]
 6 #mysql_config_editor set --login-path=# -h127.0.0.1 -P3306 -uroot -p$$$
 7 mysql_config_editor: [ERROR] mysql_config_editor: unknown option '-3'
 8 
 9 [root@zlm1 19:49:21 ~]
10 #mysql_config_editor set --login-path=# -h127.0.0.1 -P3306 -uroot -p%%%
11 mysql_config_editor: [ERROR] mysql_config_editor: unknown option '-%'

 

 Summay

  • *I'm afraid login-path is a safer method in logining MySQL.
    *
  • *Notice that characters of password must be confirmed to the MySQL password rules.
    *
  • In the past,we usually put those parameters(host,port,user,password,etc.) in /etc/my.cnf to void repeated words typing,but it's realy not safe.

 

本文由金沙官网线上发布于数据库,转载请注明出处:利用login金沙官网线上-path对MySQL安全加固

您可能还会对下面的文章感兴趣: