Mtls Authentication in Mysql

Shruti14 · September 6, 2022, 7:44am

Hi team,
We have service account which we want to use with certs i.e as mtls user and instead of password we want to connect DB with that user using certificates. We have password plugin enabled on system due to which not able to create user as password less.

Can you help me if there is way in mysql we can create user without passowrd to use certs along with password plugin enabled i.e dosen’t hamper other password based user activity.

Version is Mysql 5.7.36

Regards,
Shruti

matthewb · September 6, 2022, 3:41pm

In MySQL 5.7, the default authentication plugin is ‘mysql_native_password’ which will accept an empty password. You must first UNINSTALL the password validation plugin in order to set no password. The following is MySQL 8.0 which is the current GA (Note: In 5.7 the validation is a plugin)

mysql> UNINSTALL COMPONENT 'file://component_validate_password';

mysql> CREATE USER 'bob'@'127.0.0.1' REQUIRE SSL;   <-- no password, SSL required

$ mysql -h 127.0.0.1 -ubob -p -e '\s' | grep "SSL"
Enter password: (empty)
SSL:			Cipher in use is TLS_AES_256_GCM_SHA384

Simply re-install the validation plugin after you create this user. Re-installing the plugin will NOT enforce passwords on this account.

Shruti14 · September 6, 2022, 4:12pm

We have this running in Prod and its not clean solution to uninstall the plugin as it would impact the running Application team with issue to fetch passowrd. Can we anyother resolution to it ?

Regards,
shruti diixd

matthewb · September 6, 2022, 4:45pm

That is not correct. Uninstalling the verification password does not prevent any accounts from being maintained, updated, nor does it prevent any accounts from logging in. The verification plugin ONLY checks that passwords meet certain criteria when they are CREATED. The plugin has NOTHING to do with ongoing activities.

Chanakya · October 20, 2022, 5:42pm

@matthewb Is there a way to avoid password prompt when using MTLS ?

matthewb · October 20, 2022, 6:27pm

Yes, simply don’t pass the -p flag and mysql won’t prompt you to enter a password.

Chanakya · October 24, 2022, 10:03pm

In my case, MySQL is forcing to use password even when the user is created without password. Does it have to do anything with the authentication_plugin… (MySQL_native_password) ?

matthewb · October 25, 2022, 2:10am

MySQL never forces you to use/provide a password. You have a misconfiguration in your app/connector if this is the case. As I showed above, if you don’t tell MySQL to request a password, then MySQL won’t ask you for one.

Topic		Replies	Views
Mtls for user authentication in Mysql Percona XtraDB Cluster 8.x	6	1010	October 5, 2022
Some authentication plugins will not work Other MySQL® Questions	0	2557	July 19, 2018
Should I worry about "Some authentication plugins will not work." note? Other MySQL® Questions	0	2222	February 8, 2016
PMM Database Check - Failed check PMM 2.x	4	547	February 12, 2021
Should I worry about "Some authentication plugins will not work." note? Other MySQL® Questions	0	846	February 8, 2016

Mtls Authentication in Mysql

Related topics