Quantcast
Channel: MySQL Forums - Security
Viewing all articles
Browse latest Browse all 306

Circumventing Passwordless Authentication functionality (1 reply)

$
0
0
I know this is a ridiculous suggestion, but I see a minor hole in the usage of the Passwordless Authentication protection method for MySQL 5.6+.

Only because my customer is who they are, they may suggest that the passwordless authentication is not bullet proof, if bash (or shell) history is enabled.

If an insider-threat becomes root user on Linux (I know, you have a BIG-ASS problem, but hear me out), then does a find for a file named .mylogin.cnf under /home then that person can now simply become that user using "su - username", search the user's bash history command to find out the that "NAME" of the login-path is, and BAM, he's in as MySQL root user.

Question: Can a future version of the passwordless authentication tool have an additional argument added to force the usage to also include a password or passphase when gaining access to the .mylogin.cnf file?

This would be much like a fully encrypted gpg file where you must type the password in an interactive interface where the user's shell history would not capture that information.

Thanks, I know it seem like overkill. For now we'll use gpg to protect any clear-text files that may contain connector information.

Viewing all articles
Browse latest Browse all 306

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>