Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2015 MariaDB Foundation1
* *
Passwordless login with
unix auth_socket
Otto Kekäläinen
12.10.2015
MySQL User Group NL
Ams...
The old way
Password management is a pain
ssh host1.example.com
Password: XXX
$ mysql -u root -p
Password: XYZ
ssh host1.example.com
P...
Automating passwords hurts even more
Example: Ansible scripts for cluster
# Galera replicates users table and nodes need t...
The irony
ssh host1.example.com
Password: XXX
root$ mysql -u root -p
Password: XYZ
Mysqld: wrong password!
root$ service m...
Goal: eliminate the root passwords
Yes, Debian/Ubuntu has two
MariaDB [mysql]> select
host,user,plugin from user;
+-------...
unix_socket to the rescue!
MariaDB [mysql]> install plugin unix_socket SONAME
'auth_socket';
MariaDB [mysql]> grant usage ...
unix_socket in action
root$ mysql -u root
Welcome to the MariaDB monitor. Commands end with ;
or g.
Your MariaDB connectio...
unix_socket in action
root$ mysql
Welcome to the MariaDB monitor. Commands end with ;
or g.
root$ mysql -u root -psurelywr...
Caveat: logging in as root with password from the
local host (using whatever name) will stop working
user$ mysql -u root -...
Great! When will this be by default?
● Now: New installs in Debian unstable
● Soon: New installs in Ubuntu 15.10
● Some da...
Credits and contributions
Development done
● by me (mariadb.org) and Daniel Black (openquery.com.au)
● in Debian (http://g...
© 2015 MariaDB Foundation14
Thanks!
mariadb.org
@ottokekalainen
otto@mariadb.org
Upcoming SlideShare
Loading in …5
×

Passwordless login with unix auth_socket

2,538 views

Published on

How to login to MariaDB as root without any password, only by the fact that you have unix root?

Published in: Software
  • Be the first to comment

  • Be the first to like this

Passwordless login with unix auth_socket

  1. 1. © 2015 MariaDB Foundation1 * * Passwordless login with unix auth_socket Otto Kekäläinen 12.10.2015 MySQL User Group NL Amsterdam
  2. 2. The old way
  3. 3. Password management is a pain ssh host1.example.com Password: XXX $ mysql -u root -p Password: XYZ ssh host1.example.com Password: ZZZ $ mysql -u root -p Password: ZYX What if the sysadmin has 20 hosts to manage?
  4. 4. Automating passwords hurts even more Example: Ansible scripts for cluster # Galera replicates users table and nodes need to have the same debian-sys-maint configs - name: update debian-sys-maint user mysql_user: name: debian-sys-maint password: "{{ galera_debian_sys_maint_password }}" priv: "*.*:ALL,GRANT" append_privs: yes host: localhost state: present # Update same debian-sys-maint configs for all nodes - name: update debian.cnf template: src: debian.cnf.j2 dest: /etc/mysql/debian.cnf mode: 0600 owner: mysql group: root - name: Create xtrabackup user and grant priviledges mysql_user: name: xtrabackup password: "{{ galera_xtrabackup_password }}" priv: "*.*:RELOAD,LOCK TABLES,REPLICATION CLIENT,SUPER" append_privs: yes host: localhost state: present - name: update mysql root password for all root accounts mysql_user: name: root host: "{{ item }}" priv: "*.*:ALL,GRANT" password: "{{ galera_root_password }}" with_items: - "{{ inventory_hostname }}" - 127.0.0.1 - ::1 - localhost ignore_errors: True Failing to sync the password configuration makes the node fail completely.
  5. 5. The irony ssh host1.example.com Password: XXX root$ mysql -u root -p Password: XYZ Mysqld: wrong password! root$ service mysql stop root$ scp -r /var/lib/mysql host2.example.com root$ rm -rf root$ echo ”Revenge!” | wall
  6. 6. Goal: eliminate the root passwords Yes, Debian/Ubuntu has two MariaDB [mysql]> select host,user,plugin from user; +-----------+------------------+--------+ | host | user | plugin | +-----------+------------------+--------+ | localhost | root | | | htpc | root | | | 127.0.0.1 | root | | | ::1 | root | | | localhost | debian-sys-maint | | +-----------+------------------+--------+ $ cat /etc/mysql/debian.cnf # Automatically generated for Debian scripts. DO NOT TOUCH! [client] host = localhost user = debian-sys-maint password = z3tm0eLnX6k2fnvb socket = /var/run/mysqld/mysqld.sock [mysql_upgrade] host = localhost user = debian-sys-maint password = z3tm0eLnX6k2fnvb socket = /var/run/mysqld/mysqld.sock basedir = /usr
  7. 7. unix_socket to the rescue! MariaDB [mysql]> install plugin unix_socket SONAME 'auth_socket'; MariaDB [mysql]> grant usage on *.* to 'root'@'localhost' identified via unix_socket; MariaDB [mysql]> select host,user,plugin from user; +-----------+------------------+-------------+ | host | user | plugin | +-----------+------------------+-------------+ | localhost | root | unix_socket | | htpc | root | | | 127.0.0.1 | root | | | ::1 | root | | | localhost | debian-sys-maint | | +-----------+------------------+-------------+
  8. 8. unix_socket in action root$ mysql -u root Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 38 Server version: 5.5.44-MariaDB-1ubuntu0.14.04.2 (Ubuntu) user$ sudo mysql -u root Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 29 Server version: 5.5.44-MariaDB-1ubuntu0.14.04.2 (Ubuntu) MariaDB [(none)]>
  9. 9. unix_socket in action root$ mysql Welcome to the MariaDB monitor. Commands end with ; or g. root$ mysql -u root -psurelywrongpassword Welcome to the MariaDB monitor. Commands end with ; or g. root$ mysql -u somebodyelse ERROR 1045 (28000): Access denied for user 'somebodyelse'@'localhost' (using password: NO)
  10. 10. Caveat: logging in as root with password from the local host (using whatever name) will stop working user$ mysql -u root -p Enter password: ERROR 1698 (28000): Access denied for user 'root'@'localhost' user$ mysql -u root -h 127.0.0.1 -p Enter password: ERROR 1698 (28000): Access denied for user 'root'@'localhost'
  11. 11. Great! When will this be by default? ● Now: New installs in Debian unstable ● Soon: New installs in Ubuntu 15.10 ● Some day: official in all MariaDB releases ..but only new installs. We don't want to mess up password usage in normal version upgrades.
  12. 12. Credits and contributions Development done ● by me (mariadb.org) and Daniel Black (openquery.com.au) ● in Debian (http://git.debian.org/?p=pkg-mysql/mariadb-10.0.git) Contributions are welcome!
  13. 13. © 2015 MariaDB Foundation14 Thanks! mariadb.org @ottokekalainen otto@mariadb.org

×