利用login-path对MySQL安全加固
2024-09-25 11:27:45
Preface
Connection security is one of the most important safety strategies which we should consider.It's not a good manner using plaintext password in my.cnf file when connecting mysql server by client.What can we do more safely?
Introduce
MySQL provide a method called "login-path" which permits merely using parameter "--login-path" to login MySQL server since 5.6 version.Notice,login-path depends on program "mysql_config_editor" which belongs to MySQL main program most probably in "/usr/local/mysql/bin" directory.First of all,we need to set a login path name(also a group name) with it,then the ".mylogin.cnf" will be created which contains user,password,host,port,socket and so forth.The password in ".mylogin.conf" file is shown as asterisks(eg. password=*****).Afterward,MySQL client will have a safer authentication credentials in loging MySQL servers.
Procedure
example
usage
mysql_config_editor [program options] [command [command options]]
Parameter
-#, --debug[=#] This is a non-debug version. Catch this and exit.
-?, --help Display this help and exit.
-v, --verbose Write more information.
-V, --version Output version information and exit. Variables (--variable-name=value)
and boolean options {FALSE|TRUE} Value (after reading options)
--------------------------------- ----------------------------------------
verbose FALSE Where command can be any one of the following :
set [command options] Sets user name/password/host name/socket/port
for a given login path (section).
remove [command options] Remove a login path from the login file.
print [command options] Print all the options for a specified
login path.
reset [command options] Deletes the contents of the login file.
help Display this usage/help information.
Create a login path named "3306".
[root@zlm1 :: ~]
#mysql_config_editor set --login-path= -h127.0.0. -P3306 -uroot -p
Enter password: [root@zlm1 :: ~]
#
Check the contents of login path.
[root@zlm1 :: ~]
#mysql_config_editor print --all
[]
user = root
password = ***** -- Here is several asterisks instead of plaintest password.
host = 127.0.0.1
port =
Check the config file in user home directory.
[root@zlm1 :: ~]
#ls -la|grep mylogin.cnf
-rw------- root root Jun : .mylogin.cnf [root@zlm1 :: ~]
#cat .mylogin.cnf -- All the contents in ".mylogin.cnf" file have been encrypted. ᑸ¨K巧-#[q- ¨ÿ·t㼝«ɽ(Ͽ欕鋳쾋 q̓أ&¸ۑ Sن}uj
ņZPַ©ս¬ʨh±
[root@zlm1 :: ~]
#Xshell
Connect Server with client program by login path.
[root@zlm1 :: ~]
#mysql --login-path=
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is
Server version: 5.7.-log MySQL Community Server (GPL) Copyright (c) , , Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. root@127.0.0.1: [(none)]>
Connect Server with client program by login path.
[root@zlm1 :: ~]
#mysql --login-path=#
ERROR (): Access denied for user 'root'@'localhost' (using password: NO) [root@zlm1 :: ~]
#mysql_config_editor --print all
mysql_config_editor: [ERROR] unknown option '--print' [root@zlm1 :: ~]
#mysql_config_editor print --all
[]
user = root
password = *****
host = 127.0.0.1
port =
[#]
user = root
password = *****
host = 127.0.0.1
port =
Remove a login path.
[root@zlm1 :: ~]
#mysql_config_editor remove --login-path=# [root@zlm1 :: ~]
#mysql_config_editor print --all
[]
user = root
password = *****
host = 127.0.0.1
port =
It's not supported using special character such as "#","¥",“%”,etc.
[root@zlm1 :: ~]
#mysql_config_editor set --login-path=# -h127.0.0. -P3306 -uroot -p###
mysql_config_editor: [ERROR] mysql_config_editor: unknown option '-#' [root@zlm1 :: ~]
#mysql_config_editor set --login-path=# -h127.0.0. -P3306 -uroot -p$$$
mysql_config_editor: [ERROR] mysql_config_editor: unknown option '-3' [root@zlm1 :: ~]
#mysql_config_editor set --login-path=# -h127.0.0. -P3306 -uroot -p%%%
mysql_config_editor: [ERROR] mysql_config_editor: unknown option '-%'
Summay
- I'm afraid login-path is a safer method in logining MySQL.
- Notice that characters of password must be confirmed to the MySQL password rules.
- In the past,we usually put those parameters(host,port,user,password,etc.) in /etc/my.cnf to void repeated words typing,but it's realy not safe.
最新文章
- CSS 页面顶部阴影和给浏览器强制加上滚动条
- Ubuntu Server安装R和Rstudio(zz)
- fastjson自动转化参数报错
- SQL Server 2005、2008 的 datetime 值范围(转)
- CentOS 6.8下安装MySQL 5.6.33
- 依网友要求发个修改award bios的方法(刷CPU微码)
- android技巧:EditText输入错误时该怎样提示用户
- semantic versioning语义化版本号
- 纯CSS3实现的图片滑块程序,效果非常酷
- Android MVP模式的初识
- Oracle SQL Lesson (3) - 使用单行函数自定义输出
- 图像实验室 website 项目日志
- EasyUI中Tabs添加远程数据的方法。
- python 异常 反射
- windows开机启动bat文件
- python冒泡排序法
- Spring配置JDBCTemplate
- 关于next.js中的css
- freeRTOS中文实用教程4--资源管理互斥
- Ngnix日志分析
热门文章
- Spring @Resource, @Autowired and @Inject 注入
- oracle相关常识
- SpagoBI 和 开源ERP(iDempiere)整合入门
- 今日头条极速版邀请码以及其它APP邀请码大全
- arcgis版接合图表5.2 免费软件,支持国家2000坐标系,ArcGIS10.0,ArcGIS10.1,ArcGIS10.2都可以使用
- SharePoint 2013 - Client Side Rendering
- 【2015 Week Task】
- 我的Android开发之路——ListView的使用
- WIN7系统程序放在中文文件夹打开报错及界面汉字变乱码
- 找出OData service出错根源的小技巧