ProHoster > Blog > uprava > Kako koristiti MySQL bez lozinke (i sigurnosnih rizika)

Kako koristiti MySQL bez lozinke (i sigurnosnih rizika)

Kako koristiti MySQL bez lozinke (i sigurnosnih rizika)

Kažu da je najbolja lozinka ona koju ne morate pamtiti. U slučaju MySQL-a to je moguće zahvaljujući dodatku auth_socket i njegova verzija za MariaDB - unix_socket.

Oba ova dodatka uopće nisu nova, o njima se dosta raspravljalo na ovom blogu, primjerice u članku o kako promijeniti lozinke u MySQL 5.7 koristeći dodatak auth_socket. Međutim, dok sam proučavao što je novo u MariaDB 10.4, otkrio sam da je unix_socket sada instaliran prema zadanim postavkama i da je jedna od metoda provjere autentičnosti ("jedna od", jer je u MariaDB 10.4 više od jednog dodatka dostupno jednom korisniku za provjeru autentičnosti, što objašnjeno je u dokumentu "Autentifikacija" iz MariaDB 10.04).

Kao što sam rekao, ovo nije novost, a kada se MySQL instalira pomoću .deb paketa koje podržava Debian tim, kreira se root korisnik za autentifikaciju utičnice. Ovo vrijedi i za MySQL i za MariaDB.

root@app:~# apt-cache show mysql-server-5.7 | grep -i maintainers
Original-Maintainer: Debian MySQL Maintainers <[email protected]>
Original-Maintainer: Debian MySQL Maintainers <<a href="mailto:[email protected]">[email protected]</a>>

S Debian paketima za MySQL, root korisnik se autentificira na sljedeći način:

root@app:~# whoami
root=
root@app:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 4
Server version: 5.7.27-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user = 'root';
+------+-----------+-------------+-----------------------+
| user | host      | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket |                       |
+------+-----------+-------------+-----------------------+
1 row in set (0.01 sec)

Isti je slučaj s .deb paketom za MariaDB:

10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04

MariaDB [(none)]> show grants;
+------------------------------------------------------------------------------------------------+
| Grants for root@localhost                                                                      |
+------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION                                  |
+------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

Paketi .deb iz službenog Percona repozitorija također konfiguriraju autentifikaciju root korisnika pod auth-socket i za Percona Server. Navedimo primjer sa Percona poslužitelj za MySQL 8.0.16-7 i Ubuntu 16.04:

root@app:~# whoami
root
root@app:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 9
Server version: 8.0.16-7 Percona Server (GPL), Release '7', Revision '613e312'

Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user ='root';
+------+-----------+-------------+-----------------------+
| user | host      | plugin | authentication_string |
+------+-----------+-------------+-----------------------+
| root | localhost | auth_socket |                       |
+------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)

Dakle, u čemu je magija? Dodatak provjerava podudara li se Linux korisnik s MySQL korisnikom koristeći SO_PEERCRED socket opciju za prikupljanje informacija o korisniku koji pokreće klijentski program. Stoga se dodatak može koristiti samo na sustavima koji podržavaju opciju SO_PEERCRED, kao što je Linux. Opcija utičnice SO_PEERCRED omogućuje vam da saznate uid procesa povezanog s utičnicom. I tada već prima korisničko ime povezano s ovim uid-om.

Evo primjera s korisnikom "vagrant":

vagrant@mysql1:~$ whoami
vagrant
vagrant@mysql1:~$ mysql
ERROR 1698 (28000): Access denied for user 'vagrant'@'localhost'

Budući da u MySQL-u ne postoji "lutalica", pristup nam je zabranjen. Kreirajmo takvog korisnika i pokušajmo ponovno:

MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket;
Query OK, 0 rows affected (0.00 sec)

vagrant@mysql1:~$ mysql
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 45
Server version: 10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]> show grants;
+---------------------------------------------------------------------------------+
| Grants for vagrant@localhost                                                    |
+---------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'vagrant'@'localhost' IDENTIFIED VIA unix_socket |
+---------------------------------------------------------------------------------+
1 row in set (0.00 sec)

Dogodilo se!

Pa, što je s distribucijom koja nije Debian gdje ovo nije osigurano prema zadanim postavkama? Isprobajmo Percona Server za MySQL 8 instaliran na CentOS 7:

mysql> show variables like '%version%comment';
+-----------------+---------------------------------------------------+
| Variable_name   | Value                                   |
+-----------------+---------------------------------------------------+
| version_comment | Percona Server (GPL), Release 7, Revision 613e312 |
+-----------------+---------------------------------------------------+
1 row in set (0.01 sec)

mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
ERROR 1524 (HY000): Plugin 'auth_socket' is not loaded

Sranje. Što je nedostajalo? Dodatak nije učitan:

mysql> pager grep socket
PAGER set to 'grep socket'
mysql> show plugins;
47 rows in set (0.00 sec)

Dodajmo dodatak procesu:

mysql> nopager
PAGER set to stdout
mysql> INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
Query OK, 0 rows affected (0.00 sec)

mysql> pager grep socket; show plugins;
PAGER set to 'grep socket'
| auth_socket                     | ACTIVE | AUTHENTICATION | auth_socket.so | GPL     |
48 rows in set (0.00 sec)

Sada imamo sve što nam treba. Pokušajmo ponovo:

mysql> CREATE USER 'percona'@'localhost' IDENTIFIED WITH auth_socket;
Query OK, 0 rows affected (0.01 sec)
mysql> GRANT ALL PRIVILEGES ON *.* TO 'percona'@'localhost';
Query OK, 0 rows affected (0.01 sec)

Sada se možete prijaviti koristeći korisničko ime “percona”.

[percona@ip-192-168-1-111 ~]$ whoami
percona
[percona@ip-192-168-1-111 ~]$ mysql -upercona
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 19
Server version: 8.0.16-7 Percona Server (GPL), Release 7, Revision 613e312

Copyright (c) 2009-2019 Percona LLC and/or its affiliates
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select user, host, plugin, authentication_string from mysql.user where user ='percona';
+---------+-----------+-------------+-----------------------+
| user    | host   | plugin   | authentication_string |
+---------+-----------+-------------+-----------------------+
| percona | localhost | auth_socket |                       |
+---------+-----------+-------------+-----------------------+
1 row in set (0.00 sec)

I opet je upalilo!

Pitanje: hoće li se moći prijaviti u sustav pod istom percona prijavom, ali kao drugi korisnik?

[percona@ip-192-168-1-111 ~]$ logout
[root@ip-192-168-1-111 ~]# mysql -upercona
ERROR 1698 (28000): Access denied for user 'percona'@'localhost'

Ne, neće uspjeti.

Izlaz

MySQL je prilično fleksibilan u nekoliko aspekata, od kojih je jedan metoda autentifikacije. Kao što možete vidjeti iz ovog posta, pristup se može dobiti bez lozinki, na temelju korisnika OS-a. Ovo može biti korisno u određenim scenarijima, a jedan od njih je kada prelazite s RDS/Aurora na regularni MySQL koristeći IAM provjera autentičnosti baze podatakada i dalje dobijete pristup, ali bez lozinki.

Izvor: www.habr.com

Dodajte komentar