patternsqlMinor
If an account has REQUIRE SUBJECT, does it still need a password?
Viewed 0 times
needaccountpasswordhassubjectdoesrequirestill
Problem
I'm in the process of setting up SSL-secured replication between two servers. Each server has its own public/private keypair, and the CA cert is just the concatenation of the two public certs, like this answer.
Now I'm updating the replication account with REQUIRE SUBJECT "exact subject of the client"
Is there any practical value to also having a password on the replication account (IDENTIFIED BY "secret")?
Now I'm updating the replication account with REQUIRE SUBJECT "exact subject of the client"
Is there any practical value to also having a password on the replication account (IDENTIFIED BY "secret")?
Solution
When a user account has
Note that, in the MySQL Documentation, a sample user was created with both:
PCI and HIPAA would shriek "INSECURE" if a root user had no password, SSL or no SSL. This would be the case even more so with a Replication User.
Therefore, what is the practical value? : Having a password would provide another level security.
REQUIRE SUBJECT, it simply places the restriction on connection attempts that the client must present a valid X509 certificate containing the subject subject. If the client presents a certificate that is valid but has a different subject, the server rejects the connection.Note that, in the MySQL Documentation, a sample user was created with both:
GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
IDENTIFIED BY 'goodsecret'
REQUIRE SUBJECT '/C=EE/ST=Some-State/L=Tallinn/
O=MySQL demo client certificate/
CN=Tonu Samuel/emailAddress=tonu@example.com';PCI and HIPAA would shriek "INSECURE" if a root user had no password, SSL or no SSL. This would be the case even more so with a Replication User.
Therefore, what is the practical value? : Having a password would provide another level security.
Code Snippets
GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
IDENTIFIED BY 'goodsecret'
REQUIRE SUBJECT '/C=EE/ST=Some-State/L=Tallinn/
O=MySQL demo client certificate/
CN=Tonu Samuel/emailAddress=tonu@example.com';Context
StackExchange Database Administrators Q#40181, answer score: 2
Revisions (0)
No revisions yet.