Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Passwordless login with unix auth_socket

This document discusses passwordless login using the unix_socket authentication plugin in MariaDB. It describes how unix_socket eliminates the need for root passwords by authenticating users via the Unix socket file. The unix_socket plugin is now enabled by default for new MariaDB installations in Debian unstable and will be in Ubuntu 15.10. While helpful for new installations, it will not be enabled by default for upgrades to avoid breaking existing password authentication. Contributions to further develop and integrate unix_socket are welcome.

1 of 13
Download to read offline
© 2015 MariaDB Foundation1 * * Passwordless login with unix auth_socket Otto Kekäläinen 12.10.2015 MySQL User Group NL Amsterdam
The old way
Password management is a pain ssh host1.example.com Password: XXX $ mysql -u root -p Password: XYZ ssh host1.example.com Password: ZZZ $ mysql -u root -p Password: ZYX What if the sysadmin has 20 hosts to manage?
Automating passwords hurts even more Example: Ansible scripts for cluster # Galera replicates users table and nodes need to have the same debian-sys-maint configs - name: update debian-sys-maint user mysql_user: name: debian-sys-maint password: "{{ galera_debian_sys_maint_password }}" priv: "*.*:ALL,GRANT" append_privs: yes host: localhost state: present # Update same debian-sys-maint configs for all nodes - name: update debian.cnf template: src: debian.cnf.j2 dest: /etc/mysql/debian.cnf mode: 0600 owner: mysql group: root - name: Create xtrabackup user and grant priviledges mysql_user: name: xtrabackup password: "{{ galera_xtrabackup_password }}" priv: "*.*:RELOAD,LOCK TABLES,REPLICATION CLIENT,SUPER" append_privs: yes host: localhost state: present - name: update mysql root password for all root accounts mysql_user: name: root host: "{{ item }}" priv: "*.*:ALL,GRANT" password: "{{ galera_root_password }}" with_items: - "{{ inventory_hostname }}" - 127.0.0.1 - ::1 - localhost ignore_errors: True Failing to sync the password configuration makes the node fail completely.
The irony ssh host1.example.com Password: XXX root$ mysql -u root -p Password: XYZ Mysqld: wrong password! root$ service mysql stop root$ scp -r /var/lib/mysql host2.example.com root$ rm -rf root$ echo ”Revenge!” | wall
Goal: eliminate the root passwords Yes, Debian/Ubuntu has two MariaDB [mysql]> select host,user,plugin from user; +-----------+------------------+--------+ | host | user | plugin | +-----------+------------------+--------+ | localhost | root | | | htpc | root | | | 127.0.0.1 | root | | | ::1 | root | | | localhost | debian-sys-maint | | +-----------+------------------+--------+ $ cat /etc/mysql/debian.cnf # Automatically generated for Debian scripts. DO NOT TOUCH! [client] host = localhost user = debian-sys-maint password = z3tm0eLnX6k2fnvb socket = /var/run/mysqld/mysqld.sock [mysql_upgrade] host = localhost user = debian-sys-maint password = z3tm0eLnX6k2fnvb socket = /var/run/mysqld/mysqld.sock basedir = /usr
unix_socket to the rescue! MariaDB [mysql]> install plugin unix_socket SONAME 'auth_socket'; MariaDB [mysql]> grant usage on *.* to 'root'@'localhost' identified via unix_socket; MariaDB [mysql]> select host,user,plugin from user; +-----------+------------------+-------------+ | host | user | plugin | +-----------+------------------+-------------+ | localhost | root | unix_socket | | htpc | root | | | 127.0.0.1 | root | | | ::1 | root | | | localhost | debian-sys-maint | | +-----------+------------------+-------------+
unix_socket in action root$ mysql -u root Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 38 Server version: 5.5.44-MariaDB-1ubuntu0.14.04.2 (Ubuntu) user$ sudo mysql -u root Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 29 Server version: 5.5.44-MariaDB-1ubuntu0.14.04.2 (Ubuntu) MariaDB [(none)]>
unix_socket in action root$ mysql Welcome to the MariaDB monitor. Commands end with ; or g. root$ mysql -u root -psurelywrongpassword Welcome to the MariaDB monitor. Commands end with ; or g. root$ mysql -u somebodyelse ERROR 1045 (28000): Access denied for user 'somebodyelse'@'localhost' (using password: NO)
Caveat: logging in as root with password from the local host (using whatever name) will stop working user$ mysql -u root -p Enter password: ERROR 1698 (28000): Access denied for user 'root'@'localhost' user$ mysql -u root -h 127.0.0.1 -p Enter password: ERROR 1698 (28000): Access denied for user 'root'@'localhost'
Great! When will this be by default? ● Now: New installs in Debian unstable ● Soon: New installs in Ubuntu 15.10 ● Some day: official in all MariaDB releases ..but only new installs. We don't want to mess up password usage in normal version upgrades.
Credits and contributions Development done ● by me (mariadb.org) and Daniel Black (openquery.com.au) ● in Debian (http://git.debian.org/?p=pkg-mysql/mariadb-10.0.git) Contributions are welcome!
© 2015 MariaDB Foundation14 Thanks! mariadb.org @ottokekalainen otto@mariadb.org

More Related Content

Passwordless login with unix auth_socket

  • 1. © 2015 MariaDB Foundation1 * * Passwordless login with unix auth_socket Otto Kekäläinen 12.10.2015 MySQL User Group NL Amsterdam
  • 3. Password management is a pain ssh host1.example.com Password: XXX $ mysql -u root -p Password: XYZ ssh host1.example.com Password: ZZZ $ mysql -u root -p Password: ZYX What if the sysadmin has 20 hosts to manage?
  • 4. Automating passwords hurts even more Example: Ansible scripts for cluster # Galera replicates users table and nodes need to have the same debian-sys-maint configs - name: update debian-sys-maint user mysql_user: name: debian-sys-maint password: "{{ galera_debian_sys_maint_password }}" priv: "*.*:ALL,GRANT" append_privs: yes host: localhost state: present # Update same debian-sys-maint configs for all nodes - name: update debian.cnf template: src: debian.cnf.j2 dest: /etc/mysql/debian.cnf mode: 0600 owner: mysql group: root - name: Create xtrabackup user and grant priviledges mysql_user: name: xtrabackup password: "{{ galera_xtrabackup_password }}" priv: "*.*:RELOAD,LOCK TABLES,REPLICATION CLIENT,SUPER" append_privs: yes host: localhost state: present - name: update mysql root password for all root accounts mysql_user: name: root host: "{{ item }}" priv: "*.*:ALL,GRANT" password: "{{ galera_root_password }}" with_items: - "{{ inventory_hostname }}" - 127.0.0.1 - ::1 - localhost ignore_errors: True Failing to sync the password configuration makes the node fail completely.
  • 5. The irony ssh host1.example.com Password: XXX root$ mysql -u root -p Password: XYZ Mysqld: wrong password! root$ service mysql stop root$ scp -r /var/lib/mysql host2.example.com root$ rm -rf root$ echo ”Revenge!” | wall
  • 6. Goal: eliminate the root passwords Yes, Debian/Ubuntu has two MariaDB [mysql]> select host,user,plugin from user; +-----------+------------------+--------+ | host | user | plugin | +-----------+------------------+--------+ | localhost | root | | | htpc | root | | | 127.0.0.1 | root | | | ::1 | root | | | localhost | debian-sys-maint | | +-----------+------------------+--------+ $ cat /etc/mysql/debian.cnf # Automatically generated for Debian scripts. DO NOT TOUCH! [client] host = localhost user = debian-sys-maint password = z3tm0eLnX6k2fnvb socket = /var/run/mysqld/mysqld.sock [mysql_upgrade] host = localhost user = debian-sys-maint password = z3tm0eLnX6k2fnvb socket = /var/run/mysqld/mysqld.sock basedir = /usr
  • 7. unix_socket to the rescue! MariaDB [mysql]> install plugin unix_socket SONAME 'auth_socket'; MariaDB [mysql]> grant usage on *.* to 'root'@'localhost' identified via unix_socket; MariaDB [mysql]> select host,user,plugin from user; +-----------+------------------+-------------+ | host | user | plugin | +-----------+------------------+-------------+ | localhost | root | unix_socket | | htpc | root | | | 127.0.0.1 | root | | | ::1 | root | | | localhost | debian-sys-maint | | +-----------+------------------+-------------+
  • 8. unix_socket in action root$ mysql -u root Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 38 Server version: 5.5.44-MariaDB-1ubuntu0.14.04.2 (Ubuntu) user$ sudo mysql -u root Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 29 Server version: 5.5.44-MariaDB-1ubuntu0.14.04.2 (Ubuntu) MariaDB [(none)]>
  • 9. unix_socket in action root$ mysql Welcome to the MariaDB monitor. Commands end with ; or g. root$ mysql -u root -psurelywrongpassword Welcome to the MariaDB monitor. Commands end with ; or g. root$ mysql -u somebodyelse ERROR 1045 (28000): Access denied for user 'somebodyelse'@'localhost' (using password: NO)
  • 10. Caveat: logging in as root with password from the local host (using whatever name) will stop working user$ mysql -u root -p Enter password: ERROR 1698 (28000): Access denied for user 'root'@'localhost' user$ mysql -u root -h 127.0.0.1 -p Enter password: ERROR 1698 (28000): Access denied for user 'root'@'localhost'
  • 11. Great! When will this be by default? ● Now: New installs in Debian unstable ● Soon: New installs in Ubuntu 15.10 ● Some day: official in all MariaDB releases ..but only new installs. We don't want to mess up password usage in normal version upgrades.
  • 12. Credits and contributions Development done ● by me (mariadb.org) and Daniel Black (openquery.com.au) ● in Debian (http://git.debian.org/?p=pkg-mysql/mariadb-10.0.git) Contributions are welcome!
  • 13. © 2015 MariaDB Foundation14 Thanks! mariadb.org @ottokekalainen otto@mariadb.org