Security in MySQL Abstract This is the MySQL Security Guide extract from the MySQL 5.6 Reference Manual. For legal information, see the Legal Notices. For help with using MySQL, please visit the MySQL Forums, where you can discuss your issues with other MySQL users. Document generated on: 2021-09-28 (revision: 70916) Table of Contents Preface and Legal Notices ............................................................................................................ v 1 Security ..................................................................................................................................... 1 2 General Security Issues ............................................................................................................. 3 2.1 Security Guidelines ......................................................................................................... 3 2.2 Keeping Passwords Secure ............................................................................................. 4 2.2.1 End-User Guidelines for Password Security ........................................................... 5 2.2.2 Administrator Guidelines for Password Security ..................................................... 6 2.2.3 Passwords and Logging ....................................................................................... 6 2.2.4 Password Hashing in MySQL ............................................................................... 7 2.2.5 Implications of Password Hashing Changes in MySQL 4.1 for Application Programs .................................................................................................................... 12 2.3 Making MySQL Secure Against Attackers ...................................................................... 12 2.4 Security-Related mysqld Options and Variables .............................................................. 14 2.5 How to Run MySQL as a Normal User .......................................................................... 15 2.6 Security Considerations for LOAD DATA LOCAL ............................................................ 15 2.7 Client Programming Security Guidelines ......................................................................... 17 3 Postinstallation Setup and Testing ............................................................................................ 21 3.1 Initializing the Data Directory ......................................................................................... 21 3.1.1 Problems Running mysql_install_db .................................................................... 23 3.2 Starting the Server ........................................................................................................ 24 3.2.1 Troubleshooting Problems Starting the MySQL Server ......................................... 25 3.3 Testing the Server ........................................................................................................ 27 3.4 Securing the Initial MySQL Accounts ............................................................................. 28 3.5 Starting and Stopping MySQL Automatically ................................................................... 32 4 Access Control and Account Management ................................................................................ 35 4.1 Account User Names and Passwords ............................................................................ 36 4.2 Privileges Provided by MySQL ...................................................................................... 38 4.3 Grant Tables ................................................................................................................. 44 4.4 Specifying Account Names ............................................................................................ 50 4.5 Access Control, Stage 1: Connection Verification ............................................................ 52 4.6 Access Control, Stage 2: Request Verification ................................................................ 55 4.7 Adding Accounts, Assigning Privileges, and Dropping Accounts ....................................... 57 4.8 When Privilege Changes Take Effect ............................................................................. 60 4.9 Assigning Account Passwords ....................................................................................... 60 4.10 Server Handling of Expired Passwords ......................................................................... 62 4.11 Pluggable Authentication ............................................................................................. 64 4.12 Proxy Users ................................................................................................................ 68 4.13 Setting Account Resource Limits .................................................................................. 74 4.14 Troubleshooting Problems Connecting to MySQL ......................................................... 76 4.15 SQL-Based Account Activity Auditing ........................................................................... 80 5 Using Encrypted Connections ................................................................................................... 83 5.1 Configuring MySQL to Use Encrypted Connections ........................................................ 84 5.2 Encrypted Connection TLS Protocols and Ciphers .......................................................... 86 5.3 Creating SSL and RSA Certificates and Keys ................................................................. 90 5.3.1 Creating SSL Certificates and Keys Using openssl ............................................... 90 5.3.2 Creating RSA Keys Using openssl ...................................................................... 95 5.4 SSL Library-Dependent Capabilities ............................................................................... 95 5.5 Connecting to MySQL Remotely from Windows with SSH ............................................... 96 6 Security Plugins ....................................................................................................................... 99 6.1 Authentication Plugins ................................................................................................. 100 6.1.1 Native Pluggable Authentication ........................................................................ 100 6.1.2 Old Native Pluggable Authentication .................................................................. 101 6.1.3 Migrating Away from Pre-4.1 Password Hashing and the mysql_old_password Plugin ....................................................................................................................... 102 6.1.4 SHA-256 Pluggable Authentication .................................................................... 105 iii Security in MySQL 6.1.5 Client-Side Cleartext Pluggable Authentication ................................................... 109 6.1.6 PAM Pluggable Authentication .......................................................................... 110 6.1.7 Windows Pluggable Authentication .................................................................... 120 6.1.8 Socket Peer-Credential Pluggable Authentication ............................................... 124 6.1.9 Test Pluggable Authentication ........................................................................... 126 6.2 The Connection-Control Plugins ................................................................................... 128 6.2.1 Connection-Control Plugin Installation ................................................................ 128 6.2.2 Connection-Control System and Status Variables ............................................... 132 6.3 The Password Validation Plugin ................................................................................... 134 6.3.1 Password Validation Plugin Installation .............................................................. 135 6.3.2 Password Validation Plugin Options and Variables ............................................. 136 6.4 MySQL Enterprise Audit .............................................................................................. 140 6.4.1 Installing MySQL Enterprise Audit ..................................................................... 142 6.4.2 MySQL Enterprise Audit Security Considerations ............................................... 143 6.4.3 Audit Log File Formats ..................................................................................... 143 6.4.4 Configuring Audit Logging Characteristics .......................................................... 153 6.4.5 Audit Log Filtering ............................................................................................ 155 6.4.6 Audit Log Reference ......................................................................................... 157 6.4.7 Audit Log Restrictions ....................................................................................... 165 6.5 MySQL Enterprise Firewall .......................................................................................... 165 6.5.1 Elements of MySQL Enterprise Firewall ............................................................. 166 6.5.2 Installing or Uninstalling MySQL Enterprise Firewall ........................................... 166 6.5.3 Using MySQL Enterprise Firewall ...................................................................... 169 6.5.4 MySQL Enterprise Firewall Reference