Document suggested setup that avoids cleartext password transfer
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| percona-pam-for-mysql |
Triaged
|
Medium
|
Borys Belinsky | ||
Bug Description
The best way we have found so far is to use the existing MySQL SSL connection support.
We cannot implement anything better (cheaper) than that (I'll file a separate doc bugs to explain the reasons).
The MySQL SSL connection support likes to use client certificates, which we want to avoid, we want to use only server certificates here. The manual is very vague on not using client certificates, here's what I've tested to work:
1) Set up a server with SSL support and correct ssl-ca, ssl-cert,
ssl-key options. Verify with show global variables like 'have_%ssl';
2) Issue GRANT with the REQUIRE SSL option for all the interesting
user acounts. This is not strictly necessary but without it sessions
might silently fall back to clear text.
3) Connect using the --ssl-cipher option and no --ssl-ca or --ssl-cert
option (the docs say to use them):
bin/mysql -u foo -p --ssl-cipher=
Verify by "status":
...
SSL: Cipher in use is DHE-RSA-AES256-SHA
...
What's not clear to me is how we can recommend "good" values for --ssl-cipher, that needs to be researched. (is the one above good?)
Further reading:
http://
http://
| Changed in percona-pam-for-mysql: | |
| milestone: | none → percona-full-pam |
| assignee: | nobody → Hrvoje Matijakovic (hrvojem) |
| Changed in percona-pam-for-mysql: | |
| importance: | Undecided → Medium |
| status: | New → Triaged |
| Changed in percona-pam-for-mysql: | |
| assignee: | Hrvoje Matijakovic (hrvojem) → Borys Belinsky (borys-belinsky-percona) |
