Less passwords, more security: unix socket authentication and other MariaDB hardening tips
-
Upload
otto-kekaelaeinen -
Category
Software
-
view
430 -
download
1
Transcript of Less passwords, more security: unix socket authentication and other MariaDB hardening tips
© 2016 MariaDB Foundation1* *
Less passwords, more security:mass administration of MariaDB
servers with socket authentication
Otto Kekäläinen July 5th 2016DebConf 16Cape Town
© 2016 MariaDB Foundation2* *
Hardening your MariaDB installation
1. NEW: Secure root password management2. Create per user (or application) accounts3. Restrict connections to the DB service 4. Encrypt connections to the DB service5. Encrypt data at rest
1 and 3 secure by default in Debian!
© 2016 MariaDB Foundation3* *
Ensuring continuity and open collaboration in the MariaDB
ecosystem
Corporate supporters include Booking.com, Automattic, Virtuozzo, DBS, Acronis, Nexedi, Visma and MariaDB.com
The old way
Password management is a pain
ssh host1.example.comPassword: XXX$ mysql -u root -pPassword: AAA
ssh host1.example.comPassword: ZZZ$ mysql -u root -pPassword: BBB
What if the sysadmin has x 20 to manage?
Automating passwords hurts even moreExample: Ansible scripts for cluster
# Galera replicates users table and nodes need to have the same debian-sys-maint configs- name: update debian-sys-maint user mysql_user: name: debian-sys-maint password: "{{ galera_debian_sys_maint_password }}" priv: "*.*:ALL,GRANT" append_privs: yes host: localhost state: present
# Update same debian-sys-maint configs for all nodes- name: update debian.cnf template: src: debian.cnf.j2 dest: /etc/mysql/debian.cnf mode: 0600 owner: mysql group: root
- name: Create xtrabackup user and grant priviledges mysql_user: name: xtrabackup password: "{{ galera_xtrabackup_password }}" priv: "*.*:RELOAD,LOCK TABLES,REPLICATION CLIENT,SUPER" append_privs: yes host: localhost state: present
- name: update mysql root password for all root accounts mysql_user: name: root host: "{{ item }}" priv: "*.*:ALL,GRANT" password: "{{ galera_root_password }}" with_items: - "{{ inventory_hostname }}" - 127.0.0.1 - ::1 - localhost ignore_errors: True
Failing to sync the password configuration makes the node fail completely!
How ”secure storage” is an environment variable?
docker run -d --name mysql -p 3306:3306 -e MYSQL_ROOT_PASSWORD=password
mariadb:latest
ps -e?grep .bash_history?
Don't waste time on secrets management.Secure yourself against leaking passwords.
Don't use passwords at all.Because you dont' have to.
The ironyssh host1.example.comPassword: XXXroot$ mysql -u root -pPassword: ABCmysqld: wrong password!
root$ service mysql stoproot$ scp -r /var/lib/mysql host2.example.comroot$ rm -rfroot$ echo ”Revenge!” | wall
Goal: eliminate the root passwordsYes, Debian/Ubuntu has two
MariaDB> select host,user,plugin from user;+-----------+------------------+--------+| host | user | plugin |+-----------+------------------+--------+| localhost | root | || htpc | root | || 127.0.0.1 | root | || ::1 | root | || localhost | debian-sys-maint | |+-----------+------------------+--------+
$ cat /etc/mysql/debian.cnf# Automatically generated for Debian scripts. DO NOT TOUCH![client]host = localhostuser = debian-sys-maintpassword = z3tm0eLnX6k2fnvbsocket = /var/run/mysqld/mysqld.sock[mysql_upgrade]host = localhostuser = debian-sys-maintpassword = z3tm0eLnX6k2fnvbsocket = /var/run/mysqld/mysqld.sockbasedir = /usr
unix_socket to the rescue!MariaDB> install plugin unix_socket SONAME 'auth_socket';
MariaDB> grant usage on *.* to 'root'@'localhost' identified via unix_socket;
MariaDB> select host,user,plugin from user;+-----------+------------------+-------------+| host | user | plugin |+-----------+------------------+-------------+| localhost | root | unix_socket || htpc | root | || 127.0.0.1 | root | || ::1 | root | || localhost | debian-sys-maint | |+-----------+------------------+-------------+
unix_socket in action
root$ mysql -u rootWelcome to the MariaDB monitor. Commands end with ; Your MariaDB connection id is 38Server version: 10.0.26
user$ sudo mysql -u rootWelcome to the MariaDB monitor. Commands end with ; Your MariaDB connection id is 29Server version: 10.0.26
MariaDB [(none)]>
unix_socket in action
root$ mysqlWelcome to the MariaDB monitor. Commands end with ;
root$ mysql -u root -psurelywrongpasswordWelcome to the MariaDB monitor. Commands end with ;
root$ mysql -u somebodyelseERROR 1045 (28000): Access denied for user 'somebodyelse'@'localhost' (using password: NO)
Caveat: logging in as root with password from the local host (using whatever name) will stop working
user$ mysql -u root -pEnter password: ERROR 1698 (28000): Access denied for user 'root'@'localhost'
user$ mysql -u root -h 127.0.0.1 -pEnter password: ERROR 1698 (28000): Access denied for user 'root'@'localhost'
Great! When will this be by default?
● New installs in Debian testing since Dec 2015, will be in Stretch
● New installs Ubuntu since 15.10+● Future: official in all MariaDB releases
..but only new installs. We don't want to mess up password usage in normal version upgrades.
Debian credits and contributionsDevelopment ● by me (mariadb.org) and Daniel Black (openquery.com.au) ● in Debian (http://git.debian.org/?p=pkg-mysql/mariadb-10.0.git)
Contributions are welcome!
Create per user accountsroot$ mysqlWelcome to the MariaDB monitor. Commands end with ;
MariaDB> CREATE DATABASE mydb;
MariaDB> GRANT ALL ON mydb.* TO myapp@localhost IDENTIFIED BY 'pass123';
MariaDB> GRANT SELECT,INSERT,UPDATE ON mydb.* TO myremoteapp@'192.168.1.%' IDENTIFIED BY '456pass' REQUIRE SSL;
(Extra tip: Don't flush. Grant does it automatically.)
New in 10.1: Password policiesNew in 10.2: REQUIRE SSL in CREATE USER
Restrict connections
/etc/mysql/mariadb.conf.d/50-server.cnf[mysqld]# Instead of skip-networking the default is now to # listen only on localhost which is more compatible # and is not less secure.bind-address = 127.0.0.1
Options:- unix socket = enable skip-networking- bind to localhost = default in Debian- bind to public IP = disable bind-address
Encrypt connections 1/2/etc/mysql/mariadb.conf.d/50-server.cnf[mysqld]# For generating SSL certificates I recommend # the OpenSSL GUI "tinyca".ssl-ca=/etc/mysql/cacert.pemssl-cert=/etc/mysql/server-cert.pemssl-key=/etc/mysql/server-key.pemssl-cipher=TLSv1.2
MariaDB has supported the TLSv1.2 protocol since 10.0.15 with OpenSSL (not in Debian). Limit MariaDB to TLSv1.2 ciphers only with --ssl-cipher=TLSv1.2
Encrypt connections 2/2/etc/mysql/mariadb.conf.d/50-client.cnf[client]ssl-verify-server-cert=onssl-cert=/etc/mysql/client-cert.pemssl-key=/etc/mysql/client-key.pem
root$ mysql -h 192.168.1.3MariaDB [(none)]> \s--------------mysql Ver 15.1 Distrib 10.0.26-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
Current user: [email protected]: Not in use
Encrypt data at rest/etc/mysql/mariadb.conf.d/50-server.cnf[mysqld]!include enable_encryption.preset
Database level encryption is superior to data level or filesystem level encryption in terms of flexibility and protection. Overhead is only 3–5%. Implementation in MariaDB was contributed by Google.
But you really need to read up a lot :)