For example the "normal" way of connecting to MySQL from the command line would be like this:
# mysql -u<my_user> -p -h<server name>
Enter password:
OR
# mysql -u<my_user> -p<MYPassword> -h<server name>
In the first example you have to enter in your password which won't work for scripts. In the second example you would have to hard code the password into your script or pull it out of a variable but it would get stored in the command line making it visible by anyone who can see what is running on the system. This is bad from a security perspective.
Instead you can use a defaults file and reference the file to logon to MySQL like this:
mysql --defaults-file=location_of_my_default_file.cnf -h<server name>
The defaults file only needs to contain these three lines:
[client]
user=my_user
password='123#_BLABLA'
You can also add a line for host if you want to limit the file to only be used by one server.
If your password is going to have special characters like # then make sure it is surrounded by single quotes like the above example.
The problem with this is now the password is stored in plain text and the security team at your company is not going to like it. This is better than having it in the command line history and visible in the process list but still too easy to discover. You could lock the permissions down so that only the root user can view it and only people with root access should theoretically ever be able to see it but that may still give several teams the possibility to view it and other indexing applications to easily discover it.
In MySQL 5.6, a new feature was added to encrypt this file with mysql_config_editor.
From the manual (https://dev.mysql.com/doc/refman/5.7/en/mysql-config-editor.html):
The encryption used by mysql_config_editor prevents passwords from appearing in
.mylogin.cnf
as cleartext and provides a measure of security by preventing inadvertent password exposure. For example, if you display a regular unencrypted my.cnf
option file on the screen, any passwords it contains are visible for anyone to see. With .mylogin.cnf
, that is not true. But the encryption used will not deter a determined attacker and you should not consider it unbreakable. A user who can gain system administration privileges on your machine to access your files could decrypt the .mylogin.cnf
file with some effort.Here is how you would create the encrypted file:
mysql_config_editor set --login-path=my_encrypted_defaults_file.cnf --host=localhost --user=root --password
And then to use it:
mysql --login-path=my_encrypted_defaults_file.cnf
OR
mysql --login-path=my_encrypted_defaults_file.cnf -h<server name>
You won't be able to view the file at my_encrypted_defaults_file.cnf. This may be "good enough" to satisfy your security team but we can do even better by using GPG. I do something similar to what is described in this Percona blog post using GPG on my laptop. I will leave that for another blog post:
https://www.percona.com/blog/2016/10/12/encrypt-defaults-file/
No comments:
Post a Comment