MySQL supports a plugin authentication.
From mysql-5.6.2 ( http://dev.mysql.com/doc/refman/5.6/en/socket-authentication-plugin.html ) and MariaDB-5.2+ (https://mariadb.com/kb/en/mariadb/unix_socket-authentication-plugin/) mysqld can authenticate users via the username that connects to the unix socket. As php-cgi is used to run web applications authenticating via a socket.
Earlier versions of MySQL offered socket authentication as part of an Enterprise offering.
The advantage of socket authentication is a malicious user cannot brute force authentication against another DB user.
Both mariadb and mysql can grant/create users with plugin auth using IDENTIFIED WITH {plugin_name} [AS 'plugin_option'] as part of the grant/create user syntax instead of IDENTIFIED BY {password}.
The available plugins can be obtained by using 'show plugins' and filtering by Type=AUTHENTICATION (in the application). This is syntax is available on 5.1 to obtain the possible values of the plugin name. The optional 'AS plugin_option' should be available to all plugins and the option depends on the plugin. Having this global would be an advantage.
If the account plan can configure the default and available mysql authentication option (password, {list of plugins}) and this is can be over-ridden for specific mysql users that would be great. Overriding/adding a plugin option by non-admin users should be configurable as somethings like pam service for a pam authentication plugin have serious implications.
This is mechanism is compatible with existing application username/password mechanism as effectively the password is ignored when connecting as a user with a configured socket authentication plugin.
Comments
Submitted by JamieCameron on Fri, 03/20/2015 - 17:12 Comment #1
That actually could be quite useful in a shared hosting environment ... Is this feature a standard part of MySQL, or something that has to be installed separately?
Submitted by danblack on Fri, 03/20/2015 - 18:31 Comment #2
auth_socket.so is part of Wheezy https://packages.debian.org/wheezy/amd64/mysql-server-5.5/filelist It also came in at 5.5.10 - http://dev.mysql.com/doc/refman/5.5/en/socket-authentication-plugin.html.
It requires INSTALL PLUGIN unix_socket SONAME 'auth_socket'; to install which doesn't have any effect until you do a GRANT ... IDENTIFIED WITH unix_socket.
I'm also working with the Debian maintainers to include this activated by default in MariaDB-10 for when the next Debian stable rolls around.
Also in Fedora-19+ http://koji.fedoraproject.org/koji/rpminfo?rpmID=3790317
As RHEL/Centos7 when to MariaDB 5.5 socket auth is also there also.
Keeping to the above syntax "INSTALL PLUGIN .." and "GRANT/CREATE USER ... IDENTIFIED WITH plugin" will maintain compatibility between MySQL and MariaDB.
If you wanted to list the plugins you could take the plugin_dir mysql variable and list them from there for installation. The name should indicate what they are however these no automated way to determine which are authentication plugins or not. MariaDB does a pam plugin (https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/) and MySQL does a few other too http://dev.mysql.com/doc/refman/5.5/en/authentication-plugins-available..... I haven't looked into how useful these are or how client side support works.
Submitted by JamieCameron on Sat, 03/21/2015 - 00:59 Comment #3
We'll look into this - I can't guarantee that we will support it, but I can see the attraction as it solves the issue of PHP scripts needing to keep the MySQL password in a config file.
On the other hand, this will completely break MySQL access from PHP scripts running under mod_php, as they don't run with domain owner permissions.