mysql安全无密码登录_技术分享 | 安全地无密码登录 MySQL
有人說最好的密碼就是你不用記憶的。auth_socket 插件和 MariaDB 的 unix_socket 讓這種想法在 MySQL 上變成可能。
這兩個插件雖然不是新發布,但在 MariaDB 10.4 上 unix_socket 已經默認安裝,并且是身份驗證方法之一。
插件的安裝和使用
如上所述,這不是新功能,即使使用 Debian 團隊維護的 .deb 安裝包安裝 MySQL,也會創建 root 用戶,以便使用套接字身份驗證,對于 MySQL 和 MariaDB 都是如此:
root@app:~# apt-cache show mysql-server-5.7 | grep -i maintainers
Original-Maintainer: Debian MySQL Maintainers
Original-Maintainer: Debian MySQL Maintainers <pkg-mysql-maint@lists.alioth.debian.org>
安裝后,root 用戶驗證過程如下:
root@app:~# whoami
root
root@app:~# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.27-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select user, host, plugin, authentication_string from mysql.user where user = 'root';
+------+-----------+-------------+-----------------------+
| user | host | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket | |
+------+-----------+-------------+-----------------------+
1 row in set (0.01 sec)
與 MariaDB 相同:
10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
MariaDB [(none)]> show grants;
+------------------------------------------------------------------------------------------------+
| Grants for root@localhost |
+------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION |
+------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
對于 Percona Server,來自官方 Percona Repo 的 .deb 軟件包還將 root 用戶身份驗證設置為 auth_socket。這是適用于 MySQL 8.0.16-7 和 Ubuntu 16.04 的 Percona Server 的示例:
root@app:~# whoami
root
root@app:~# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 8.0.16-7 Percona Server (GPL), Release '7', Revision '613e312'
Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select user, host, plugin, authentication_string from mysql.user where user ='root';
+------+-----------+-------------+-----------------------+
| user | host | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket | |
+------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)
那么,為何如此神奇?該插件使用 SO_PEERCRED 套接字選項,來檢查 Linux 用戶是否于 MySQL 用戶匹配,以獲取有關運行客戶端程序的用戶信息。因此該插件只能在支持 SO_PEERCRED 選項的系統上使用,例如: Linux。 SO_PEERCRED 套接字選項允許檢索連接到套接字的進程 uid。然后,他可以獲取與 uid 關聯的用戶名。
vagrant@mysql1:~$ whoami
vagrant
vagrant@mysql1:~$ mysql
ERROR 1698 (28000): Access denied for user 'vagrant'@'localhost'
由于 MySQL 不存在 'vagrant' 用戶,因此訪問被拒絕。讓我們創建用戶再次嘗試:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket;
Query OK, 0 rows affected (0.00 sec)
vagrant@mysql1:~$ mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 45
Server version: 10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show grants;
+---------------------------------------------------------------------------------+
| Grants for vagrant@localhost |
+---------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket |
+---------------------------------------------------------------------------------+
1 row in set (0.00 sec)
成功!!
現在,讓我們在 CentOS 7 上安裝的 Percona Server 版本 MySQL 8 上再試一試:
mysql> show variables like '%version%comment';
+-----------------+---------------------------------------------------+
| Variable_name | Value |
+-----------------+---------------------------------------------------+
| version_comment | Percona Server (GPL), Release 7, Revision 613e312 |
+-----------------+---------------------------------------------------+
1 row in set (0.01 sec)
mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
ERROR 1524 (HY000): Plugin 'auth_socket' is not loaded
失敗了,原因是插件未加載:
mysql> pager grep socket
PAGER set to 'grep socket'
mysql> show plugins;
47 rows in set (0.00 sec)
讓我們在運行時添加插件:
mysql> nopager
PAGER set to stdout
mysql> INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
Query OK, 0 rows affected (0.00 sec)
mysql> pager grep socket; show plugins;
PAGER set to 'grep socket'
| auth_socket | ACTIVE | AUTHENTICATION | auth_socket.so | GPL |
48 rows in set (0.00 sec)
現在我們有了所需的一切。讓我們再試一次:
mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT ALL PRIVILEGES ON *.* TO 'percona'@'localhost';
Query OK, 0 rows affected (0.01 sec)
現在我們可以以操作系統用戶 "percona" 的身份登錄。
[percona@ip-192-168-1-111 ~]$ whoami
percona
[percona@ip-192-168-1-111 ~]$ mysql -upercona
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 19
Server version: 8.0.16-7 Percona Server (GPL), Release 7, Revision 613e312
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select user, host, plugin, authentication_string from mysql.user where user ='percona';
+---------+-----------+-------------+-----------------------+
| user | host | plugin | authentication_string |
+---------+-----------+-------------+-----------------------+
| percona | localhost | auth_socket | |
+---------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)
再次成功!
問題:我可以嘗試以其他的系統用戶的身份使用 percona 登錄嗎?
[percona@ip-192-168-1-111 ~]$ logout
[root@ip-192-168-1-111 ~]# mysql -upercona
ERROR 1698 (28000): Access denied for user 'percona'@'localhost'
不,你不能!
結論
MySQL 在多個方面都足夠靈活,其中之一就是身份驗證方法。正如我們在這篇文章中所看到的,依靠系統用戶可以在沒有密碼的情況下進行訪問。這在幾種情況下很有用,但僅提及一種情況:從 RDS / Aurora 遷移到常規 MySQL 并使用 IAM 數據庫身份驗證保持訪問而無需使用密碼。
總結
以上是生活随笔為你收集整理的mysql安全无密码登录_技术分享 | 安全地无密码登录 MySQL的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 在mysql中会话变量前面的字符是什么_
- 下一篇: linux mysql主主复制_MySQ