![]() ![]() ![]() The account must use TLS, but no valid X509 certificate is required. TLS is not required for this account, but can still be used. These restrictions can be enabled for a user account with the CREATE USER, ALTER USER, or GRANT statements. For instance, you might use this with user accounts that require access to sensitive data while sending it across networks that you do not control. You can set certain TLS-related restrictions for specific user accounts. See Secure Connections Overview for more information about how to determine whether your MariaDB server has TLS support. The documentation still uses the term SSL often and for compatibility reasons TLS-related server system and status variables still use the prefix ssl_, but internally, MariaDB only supports its secure successors. TLS was formerly known as Secure Socket Layer (SSL), but strictly speaking the SSL protocol is a predecessor to TLS and, that version of the protocol is now considered insecure. To mitigate this concern, MariaDB allows you to encrypt data in transit between the server and clients using the Transport Layer Security (TLS) protocol. However, in cases where the server and client exist on separate networks or they are in a high-risk network, the lack of encryption does introduce security concerns as a malicious actor could potentially eavesdrop on the traffic as it is sent over the network between them. This is generally acceptable when the server and client run on the same host or in networks where security is guaranteed through other means. For example, the ed25519 authentication plugin supports this: ALTER USER safe '%' IDENTIFIED VIA ed25519 USING PASSWORD ( 'secret' ) TLS Optionsīy default, MariaDB transmits data between the server and clients without encrypting it. This is only valid for authentication plugins that have implemented a hook for the PASSWORD() function. In MariaDB 10.4 and later, the USING or AS keyword can also be used to provide a plain-text password to a plugin if it's provided as an argument to the PASSWORD() function. ![]() The exact meaning of the additional argument would depend on the specific authentication plugin. For example, the PAM authentication plugin accepts a service name: ALTER USER foo2 test IDENTIFIED VIA pam USING 'mariadb' Some authentication plugins allow additional arguments to be specified after a USING or AS keyword. If it doesn't show up in that output, then you will need to install it with INSTALL PLUGIN or INSTALL SONAME.įor example, this could be used with the PAM authentication plugin: ALTER USER foo2 test IDENTIFIED VIA pam The plugin name must be an active authentication plugin as per SHOW PLUGINS. The optional IDENTIFIED VIA authentication_plugin allows you to specify that the account should be authenticated by a specific authentication plugin. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |