MySQL Config Editer

MySQL Config Editor

 

Contents
1. Why we need mysql_config_editor
2. How to configure mysql_config_editor
3. How to connect MySQL using mysql_config_editor
4. How to modify/Remove mysql_config_editor
5. Pros and Cons of mysql_config_editor

The MySQL config editor (secure login) intention is to make sure your valuable data should be in more secure and your login credentials should not visible to others.

Why we need mysql_config_editor :

There are some block holes to theft your data by using your credentials.
Example:
If you stored your password in option file like “.my.cnf” to login the MySQL, since its stored password as plain text so whoever has access the file they can easily read it.
[client]
user = user_name
password = your_password

On some systems, your password becomes visible to system status programs such as system process, that may be invoked by other users to display command lines. To overcome the security issue you can the mysql_config_editor utility (available from MySQL 5.6.6) which enables you to store authentication credentials in an encrypted login file named .mylogin.cnf.

The file location is the %APPDATA%\MySQL directory on Windows and the current user’s home directory on Red-hat / fedora / Ubuntu / other Linux-flavor. The file can be read later by MySQL clientprograms to obtain authentication credentials for connecting to MySQL Server.

The encryption used by mysql_config_editor prevents passwords from appearing in .mylogin.cnf as clear text and provides a measure of security by preventing accidental password exposure.

How to configure mysql_config_editor

Using mysql_config_editor utility we can create N number of login path for different instances on the server or for the remote server.

shell> mysql_config_editor [program_options] command [command_options]

program_options consists of general mysql_config_editor options, ‘command’ indicates what command to perform, and ‘command_options’ indicates any additional options needed by the command.
The command indicates what action to perform on the .mylogin.cnf login file.

For example:
set writes a login path to the file.
remove removes a login path.
print displays login path contents.
Any options given provide information to the command, such as the login path name and the values to use in the login path.
The position of the command name within the set of program arguments is significant.

For example, these command lines have the same arguments, but produce different results:
mysql_config_editor –help set                # It Display the information except ‘set’
mysql_config_editor set –help                 # It Display only ‘set’ information

Suppose that you want to establish two login paths named local and remote for connecting to the local MySQL server and a server on the host remote.mysql.com.

shell> mysql_config_editor set –login-path=local –host=localhost –user=localuser –port=3366 –password
Enter password: enter password “localpass” here

shell> mysql_config_editor set –login-path=remote –host=remote.mysql.com –user=remoteuser
–port=3377 –password

Enter password: enter password “remotepass” here

To see what mysql_config_editor wrote to the .mylogin.cnf file, use the print command:
shell>ls -la
# you can see the “.mylogin.cnf” under user home directory as a hidden file
-rw——-. 1 user group 392 Dec 1 16:08 .mylogin.cnf
shell> mysql_config_editor print –all
[local]
user = localuser
password = *****
host = localhost
port = 3366
[remote]
user = remoteuser
password = *****
host = remote.mysql.com
port = 3377

If you try to see . mylogin.cnf file, its should be encrypted as below:
shell>cat .mylogin.cnf
5 � >S3%# � 62 ���� # � ^ � J\ � &#8y �� Q �� r ��� #3J: � ,?
#k2 �Ɇ @# �� #ab(D � #Y � M#JK# � q

How to connect MySQL using mysql_config_editor :

Once you created secure login using mysql_config_editor you can connect the appropriate MySQL
instance using login path as below.
To connect local MySQL instance(3366):

shell> mysql –login-path=local

To connect to the remote MySQL instance(3377)

shell> mysql –login-path=remote

When you use the set command with mysql_config_editor to create a login path, you need not specify all the possible option values (host name, user name,port and password). Only those values given are written to the path. Any missing values required later can be specified when you invoke a client path to connect to the MySQL server.

For example, When you create remote login path if missed to give remote hostname option then you can explicitly provide host option to connect the remote MySQL server “remote2.mysql.net” as below:

shell> mysql –login-path=remote –host=remote2.mysql.net

How to modify/Remove mysql_config_editor :

You can modify/remove exist secure options / login path as below:
if you want to remove host option from remote login path.

shell> mysql_config_editor remove –login-path=remote –host
shell> mysql_config_editor print –login-path=remote
[remote]
user = remoteuser
password = *****
port = 3377

If you wants to remove complete remote/local login path, you can remove as below:

shell> mysql_config_editor remove –login-path=remote
shell> mysql_config_editor print –all
[local]
user = localuser
password = *****
host = localhost
port = 3366

Note: –port and –socket options are supported as of MySQL 5.6.11

Pros and Cons of mysql_config_editor :

Pros:
1. Easy way to hide the credentials from attacker.
2. Preventing accidental password exposure.
3. Easy to login in MySQL instance where have multiple instances (Local/Remote).
Cons:
1. We could not add additional option in existing login path, if you need add then you need to remove
full login path and create new login path with require options.
2. If the login path name already exists in .mylogin.cnf, then set command will replaces it. To ensure
mysql_config_editor prints a warning and prompts for confirmation.

——————————————————- END ——————————————————-

 

Reference: https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s