Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

improve deletion of unsecured MySQL users to include the new auth mechanisms #643

Open
schurzi opened this issue Mar 1, 2023 · 0 comments

Comments

@schurzi
Copy link
Contributor

schurzi commented Mar 1, 2023

Description

Currently we use a simple set of criterias to remove unsecured users. This set excludes some of the usefull new features of newer MySQL versions. Also the current logic needs a bit more documentation to be more easily to understand.

Solution

We should define which features of MySQL we want to advise using by making our queries for deleting unsecured users more explicit and more granular.
Currently I would consider several types of authentication secure:

  • auth with password
  • auth with certificates
  • auth with unix pipe
  • auth with PAM

The current logic for queries should als obe improved, maybe in the same way we use to set all the ssh parameters for mac/key/ciphers

Alternatives

Leave as is, our current implementation is arguably secure but exludes some equally secure setups.

Additional information

for more information also consider #641 and related discussion (linked tickets)

All changes must also be reflected in our mysql-baseline.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant