© 2016 MariaDB Foundation1* *

Less passwords, more security:mass administration of MariaDB

servers with socket authentication

Otto Kekäläinen July 5th 2016DebConf 16Cape Town

© 2016 MariaDB Foundation2* *

Hardening your MariaDB installation

1. NEW: Secure root password management2. Create per user (or application) accounts3. Restrict connections to the DB service 4. Encrypt connections to the DB service5. Encrypt data at rest

1 and 3 secure by default in Debian!

© 2016 MariaDB Foundation3* *

Ensuring continuity and open collaboration in the MariaDB

ecosystem

Corporate supporters include Booking.com, Automattic, Virtuozzo, DBS, Acronis, Nexedi, Visma and MariaDB.com

The old way

Password management is a pain

ssh host1.example.comPassword: XXX$ mysql -u root -pPassword: AAA

ssh host1.example.comPassword: ZZZ$ mysql -u root -pPassword: BBB

What if the sysadmin has x 20 to manage?

Automating passwords hurts even moreExample: Ansible scripts for cluster

# Galera replicates users table and nodes need to have the same debian-sys-maint configs- name: update debian-sys-maint user mysql_user: name: debian-sys-maint password: "{{ galera_debian_sys_maint_password }}" priv: "*.*:ALL,GRANT" append_privs: yes host: localhost state: present

# Update same debian-sys-maint configs for all nodes- name: update debian.cnf template: src: debian.cnf.j2 dest: /etc/mysql/debian.cnf mode: 0600 owner: mysql group: root

- name: Create xtrabackup user and grant priviledges mysql_user: name: xtrabackup password: "{{ galera_xtrabackup_password }}" priv: "*.*:RELOAD,LOCK TABLES,REPLICATION CLIENT,SUPER" append_privs: yes host: localhost state: present

- name: update mysql root password for all root accounts mysql_user: name: root host: "{{ item }}" priv: "*.*:ALL,GRANT" password: "{{ galera_root_password }}" with_items: - "{{ inventory_hostname }}" - 127.0.0.1 - ::1 - localhost ignore_errors: True

Failing to sync the password configuration makes the node fail completely!

How ”secure storage” is an environment variable?

docker run -d --name mysql -p 3306:3306 -e MYSQL_ROOT_PASSWORD=password

mariadb:latest

ps -e?grep .bash_history?

Don't waste time on secrets management.Secure yourself against leaking passwords.

Don't use passwords at all.Because you dont' have to.

The ironyssh host1.example.comPassword: XXXroot$ mysql -u root -pPassword: ABCmysqld: wrong password!

root$ service mysql stoproot$ scp -r /var/lib/mysql host2.example.comroot$ rm -rfroot$ echo ”Revenge!” | wall

Goal: eliminate the root passwordsYes, Debian/Ubuntu has two

MariaDB> select host,user,plugin from user;+-----------+------------------+--------+| host | user | plugin |+-----------+------------------+--------+| localhost | root | || htpc | root | || 127.0.0.1 | root | || ::1 | root | || localhost | debian-sys-maint | |+-----------+------------------+--------+

$ cat /etc/mysql/debian.cnf# Automatically generated for Debian scripts. DO NOT TOUCH![client]host = localhostuser = debian-sys-maintpassword = z3tm0eLnX6k2fnvbsocket = /var/run/mysqld/mysqld.sock[mysql_upgrade]host = localhostuser = debian-sys-maintpassword = z3tm0eLnX6k2fnvbsocket = /var/run/mysqld/mysqld.sockbasedir = /usr

unix_socket to the rescue!MariaDB> install plugin unix_socket SONAME 'auth_socket';

MariaDB> grant usage on *.* to 'root'@'localhost' identified via unix_socket;

MariaDB> select host,user,plugin from user;+-----------+------------------+-------------+| host | user | plugin |+-----------+------------------+-------------+| localhost | root | unix_socket || htpc | root | || 127.0.0.1 | root | || ::1 | root | || localhost | debian-sys-maint | |+-----------+------------------+-------------+

unix_socket in action

root$ mysql -u rootWelcome to the MariaDB monitor. Commands end with ; Your MariaDB connection id is 38Server version: 10.0.26

user$ sudo mysql -u rootWelcome to the MariaDB monitor. Commands end with ; Your MariaDB connection id is 29Server version: 10.0.26

MariaDB [(none)]>

unix_socket in action

root$ mysqlWelcome to the MariaDB monitor. Commands end with ;

root$ mysql -u root -psurelywrongpasswordWelcome to the MariaDB monitor. Commands end with ;

root$ mysql -u somebodyelseERROR 1045 (28000): Access denied for user 'somebodyelse'@'localhost' (using password: NO)

Caveat: logging in as root with password from the local host (using whatever name) will stop working

user$ mysql -u root -pEnter password: ERROR 1698 (28000): Access denied for user 'root'@'localhost'

user$ mysql -u root -h 127.0.0.1 -pEnter password: ERROR 1698 (28000): Access denied for user 'root'@'localhost'

Great! When will this be by default?

● New installs in Debian testing since Dec 2015, will be in Stretch

● New installs Ubuntu since 15.10+● Future: official in all MariaDB releases

..but only new installs. We don't want to mess up password usage in normal version upgrades.

Debian credits and contributionsDevelopment ● by me (mariadb.org) and Daniel Black (openquery.com.au) ● in Debian (http://git.debian.org/?p=pkg-mysql/mariadb-10.0.git)

Contributions are welcome!

Create per user accountsroot$ mysqlWelcome to the MariaDB monitor. Commands end with ;

MariaDB> CREATE DATABASE mydb;

MariaDB> GRANT ALL ON mydb.* TO myapp@localhost IDENTIFIED BY 'pass123';

MariaDB> GRANT SELECT,INSERT,UPDATE ON mydb.* TO myremoteapp@'192.168.1.%' IDENTIFIED BY '456pass' REQUIRE SSL;

(Extra tip: Don't flush. Grant does it automatically.)

New in 10.1: Password policiesNew in 10.2: REQUIRE SSL in CREATE USER

Restrict connections

/etc/mysql/mariadb.conf.d/50-server.cnf[mysqld]# Instead of skip-networking the default is now to # listen only on localhost which is more compatible # and is not less secure.bind-address = 127.0.0.1

Options:- unix socket = enable skip-networking- bind to localhost = default in Debian- bind to public IP = disable bind-address

Encrypt connections 1/2/etc/mysql/mariadb.conf.d/50-server.cnf[mysqld]# For generating SSL certificates I recommend # the OpenSSL GUI "tinyca".ssl-ca=/etc/mysql/cacert.pemssl-cert=/etc/mysql/server-cert.pemssl-key=/etc/mysql/server-key.pemssl-cipher=TLSv1.2

MariaDB has supported the TLSv1.2 protocol since 10.0.15 with OpenSSL (not in Debian). Limit MariaDB to TLSv1.2 ciphers only with --ssl-cipher=TLSv1.2

Encrypt connections 2/2/etc/mysql/mariadb.conf.d/50-client.cnf[client]ssl-verify-server-cert=onssl-cert=/etc/mysql/client-cert.pemssl-key=/etc/mysql/client-key.pem

root$ mysql -h 192.168.1.3MariaDB [(none)]> \s--------------mysql Ver 15.1 Distrib 10.0.26-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Current user: root@192.168.1.2SSL: Not in use

Encrypt data at rest/etc/mysql/mariadb.conf.d/50-server.cnf[mysqld]!include enable_encryption.preset

Database level encryption is superior to data level or filesystem level encryption in terms of flexibility and protection. Overhead is only 3–5%. Implementation in MariaDB was contributed by Google.

But you really need to read up a lot :)

© 2016 MariaDB Foundation23

Thanks!

mariadb.org

@ottokekalainenotto@mariadb.org