Security in MySQL

Abstract

This is the MySQL Security Guide extract from the MySQL 5.7 Reference Manual.

For legal information, see the Legal Notices.

For help with using MySQL, please visit the MySQL Forums, where you can discuss your issues with other MySQL users.

Document generated on: 2024-12-06 (revision: 80403)


Table of Contents

Preface and Legal Notices
1 Security
2 General Security Issues
2.1 Security Guidelines
2.2 Keeping Passwords Secure
2.2.1 End-User Guidelines for Password Security
2.2.2 Administrator Guidelines for Password Security
2.2.3 Passwords and Logging
2.2.4 Password Hashing in MySQL
2.3 Making MySQL Secure Against Attackers
2.4 Security-Related mysqld Options and Variables
2.5 How to Run MySQL as a Normal User
2.6 Security Considerations for LOAD DATA LOCAL
2.7 Client Programming Security Guidelines
3 Postinstallation Setup and Testing
3.1 Initializing the Data Directory
3.2 Starting the Server
3.2.1 Troubleshooting Problems Starting the MySQL Server
3.3 Testing the Server
3.4 Securing the Initial MySQL Account
3.5 Starting and Stopping MySQL Automatically
4 Access Control and Account Management
4.1 Account User Names and Passwords
4.2 Privileges Provided by MySQL
4.3 Grant Tables
4.4 Specifying Account Names
4.5 Access Control, Stage 1: Connection Verification
4.6 Access Control, Stage 2: Request Verification
4.7 Adding Accounts, Assigning Privileges, and Dropping Accounts
4.8 Reserved Accounts
4.9 When Privilege Changes Take Effect
4.10 Assigning Account Passwords
4.11 Password Management
4.12 Server Handling of Expired Passwords
4.13 Pluggable Authentication
4.14 Proxy Users
4.15 Account Locking
4.16 Setting Account Resource Limits
4.17 Troubleshooting Problems Connecting to MySQL
4.18 SQL-Based Account Activity Auditing
5 Using Encrypted Connections
5.1 Configuring MySQL to Use Encrypted Connections
5.2 Encrypted Connection TLS Protocols and Ciphers
5.3 Creating SSL and RSA Certificates and Keys
5.3.1 Creating SSL and RSA Certificates and Keys using MySQL
5.3.2 Creating SSL Certificates and Keys Using openssl
5.3.3 Creating RSA Keys Using openssl
5.4 SSL Library-Dependent Capabilities
5.5 Connecting to MySQL Remotely from Windows with SSH
6 Security Plugins
6.1 Authentication Plugins
6.1.1 Native Pluggable Authentication
6.1.2 Old Native Pluggable Authentication
6.1.3 Migrating Away from Pre-4.1 Password Hashing and the mysql_old_password Plugin
6.1.4 Caching SHA-2 Pluggable Authentication
6.1.5 SHA-256 Pluggable Authentication
6.1.6 Client-Side Cleartext Pluggable Authentication
6.1.7 PAM Pluggable Authentication
6.1.8 Windows Pluggable Authentication
6.1.9 LDAP Pluggable Authentication
6.1.10 No-Login Pluggable Authentication
6.1.11 Socket Peer-Credential Pluggable Authentication
6.1.12 Test Pluggable Authentication
6.1.13 Pluggable Authentication System Variables
6.2 The Connection-Control Plugins
6.2.1 Connection-Control Plugin Installation
6.2.2 Connection-Control System and Status Variables
6.3 The Password Validation Plugin
6.3.1 Password Validation Plugin Installation
6.3.2 Password Validation Plugin Options and Variables
6.4 The MySQL Keyring
6.4.1 Keyring Plugin Installation
6.4.2 Using the keyring_file File-Based Keyring Plugin
6.4.3 Using the keyring_encrypted_file Encrypted File-Based Keyring Plugin
6.4.4 Using the keyring_okv KMIP Plugin
6.4.5 Using the keyring_aws Amazon Web Services Keyring Plugin
6.4.6 Supported Keyring Key Types and Lengths
6.4.7 Migrating Keys Between Keyring Keystores
6.4.8 General-Purpose Keyring Key-Management Functions
6.4.9 Plugin-Specific Keyring Key-Management Functions
6.4.10 Keyring Metadata
6.4.11 Keyring Command Options
6.4.12 Keyring System Variables
6.5 MySQL Enterprise Audit
6.5.1 Elements of MySQL Enterprise Audit
6.5.2 Installing or Uninstalling MySQL Enterprise Audit
6.5.3 MySQL Enterprise Audit Security Considerations
6.5.4 Audit Log File Formats
6.5.5 Configuring Audit Logging Characteristics
6.5.6 Reading Audit Log Files
6.5.7 Audit Log Filtering
6.5.8 Writing Audit Log Filter Definitions
6.5.9 Disabling Audit Logging
6.5.10 Legacy Mode Audit Log Filtering
6.5.11 Audit Log Reference
6.5.12 Audit Log Restrictions
6.6 MySQL Enterprise Firewall
6.6.1 Elements of MySQL Enterprise Firewall
6.6.2 Installing or Uninstalling MySQL Enterprise Firewall
6.6.3 Using MySQL Enterprise Firewall
6.6.4 MySQL Enterprise Firewall Reference
A MySQL 5.7 FAQ: Security