HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

If an account has REQUIRE SUBJECT, does it still need a password?

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
needaccountpasswordhassubjectdoesrequirestill

Problem

I'm in the process of setting up SSL-secured replication between two servers. Each server has its own public/private keypair, and the CA cert is just the concatenation of the two public certs, like this answer.

Now I'm updating the replication account with REQUIRE SUBJECT "exact subject of the client"

Is there any practical value to also having a password on the replication account (IDENTIFIED BY "secret")?

Solution

When a user account has REQUIRE SUBJECT, it simply places the restriction on connection attempts that the client must present a valid X509 certificate containing the subject subject. If the client presents a certificate that is valid but has a different subject, the server rejects the connection.

Note that, in the MySQL Documentation, a sample user was created with both:

GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
  IDENTIFIED BY 'goodsecret'
  REQUIRE SUBJECT '/C=EE/ST=Some-State/L=Tallinn/
    O=MySQL demo client certificate/
    CN=Tonu Samuel/emailAddress=tonu@example.com';


PCI and HIPAA would shriek "INSECURE" if a root user had no password, SSL or no SSL. This would be the case even more so with a Replication User.

Therefore, what is the practical value? : Having a password would provide another level security.

Code Snippets

GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
  IDENTIFIED BY 'goodsecret'
  REQUIRE SUBJECT '/C=EE/ST=Some-State/L=Tallinn/
    O=MySQL demo client certificate/
    CN=Tonu Samuel/emailAddress=tonu@example.com';

Context

StackExchange Database Administrators Q#40181, answer score: 2

Revisions (0)

No revisions yet.