24.7. Security-Related Configuration


This section discusses some of the server startup options that affect security in various ways. Sections elsewhere in this guide discuss other security topics. Two procedures that you should perform are to set passwords for the initial MySQL accounts that are stored in the grant tables of the mysql database, and to make sure that filesystem permissions for the components of your installation do not allow access to anyone but the MySQL administrative login account. These procedures are detailed in Chapter 35, "Securing the MySQL Installation."

If all clients are local clients, you can disable connections from remote clients by starting the server with the --skip-networking option to disable TCP/IP connections (the only type of connection that can be made by remote clients). In this case, the server must be able to accept local connections using some other networking protocol. This is not an issue on Unix, because servers always accept connections through a Unix socket file. On Windows, local clients can use shared-memory and (for -nt servers) named-pipe connections, but neither of those protocols is enabled by default. Start the server with the --shared-memory and --enable-named-pipe options to turn on these connection protocols.

Servers for MySQL 4.1 and up use an authentication mechanism that is more secure and provides better passwords than in older versions. However, client programs from older versions do not understand this mechanism and an error occurs when they attempt to connect to a newer server:

 ERROR 1251: Client does not support authentication protocol requested by server; consider upgrading MySQL client 

The best thing to do, if possible, is to upgrade all older (pre-4.1) clients so that they can use the newer authentication mechanism. If that cannot be done and your MySQL server must support older clients, you must configure it for backward compatibility with the older authentication mechanism. The simplest way to do this and provide support for older clients is to run the server with the --old-password option. However, you should start the server with this option before setting or changing any passwords. Otherwise, you will have passwords in a mix of old and new formats. (It is possible to have the server support both formats, but this is more complex to configure. For details, see the MySQL Reference Manual.)

If you want to take the opposite approach and allow connections only by clients that have new-format passwords, start the server with the --secure-auth option. This causes the server to reject connection attempts for any client that has a password in the old format.



MySQL 5 Certification Study Guide
MySQL 5.0 Certification Study Guide
ISBN: 0672328127
EAN: 2147483647
Year: 2006
Pages: 312

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net