Paer Toernell
asked on
No shell Ubuntu to mysql SSH
Need to bild a SSH Ubuntu account to one and one only Mysql account and no shell access. My idea is to autologin by some script and if that fails then abort. No password from the client. No access to any other ports than 3306. Possible?
Clarification:
I want every user to only have access by the users unique key.
Clarification:
I want every user to only have access by the users unique key.
You said, "Need to bild a SSH Ubuntu account to one and one only Mysql account and no shell access."
This doesn't really make sense.
A better way is just to create a GRANT for some user/pass to access your MySQL instance... because... if you have no shell, then there's no point in setting up an account.
Said another way, no point in setting up a user account with no shell access. This is better done as a GRANT.
This doesn't really make sense.
A better way is just to create a GRANT for some user/pass to access your MySQL instance... because... if you have no shell, then there's no point in setting up an account.
Said another way, no point in setting up a user account with no shell access. This is better done as a GRANT.
ASKER
David, my point is to only allow access by a private key. I don't think i can do that with SSL.
The only way to allow access by a private key is via ssh, which will require a login shell... like bash, zsh, something...
SSL != SSH - 2x different protocols.
SSL != SSH - 2x different protocols.
@Paer
What David means is that SSH is already encrypted. SSL isn't required
Here's a quick tutorial on setting up ssh with no password - https://www.tecmint.com/ssh-passwordless-login-using-ssh-keygen-in-5-easy-steps/
Ken
SSL != SSH - 2x different protocols.
What David means is that SSH is already encrypted. SSL isn't required
Here's a quick tutorial on setting up ssh with no password - https://www.tecmint.com/ssh-passwordless-login-using-ssh-keygen-in-5-easy-steps/
Ken
You're going about it wrong. MySQL now supports TLS connections for security. Check their instructions.
https://dev.mysql.com/doc/refman/5.5/en/encrypted-connections.html
https://dev.mysql.com/doc/refman/5.5/en/encrypted-connections.html
ASKER
serialband,
Yeas and no (if i not missed something). The connection will be encrypted if you turn on require_secure_transport=O N in mysql. But the users can connect without a privatekey and there will be only 1 privatekey. I want one mandatory unique key per user.
Set it up with myql workbench. You will get connected without any key or cert from the client.
Yeas and no (if i not missed something). The connection will be encrypted if you turn on require_secure_transport=O
Set it up with myql workbench. You will get connected without any key or cert from the client.
As kenfcamp said, What David means is that SSH is already encrypted. SSL isn't required
Also SSH != SSL, so ssh is used to start shells whereas SSL/TLS certs are used to encrypt conversations like HTTPS, IMAP4S, POP3S, etc...
2x very different tools for 2x very different tasks.
If you're only allowing access to database instances, you'll use a GRANT for this.
As serialband said, if you allow remote access to your database instance, then you'll create a GRANT + also wrap your connection with a TLS cert.
Note: Setting require_secure_transport=O N is only one step of many steps for securing a database connection.
https://www.digitalocean.co m/communit y/tutorial s/how-to-c onfigure-s sl-tls-for -mysql-on- ubuntu-16- 04 provides a good walk through of this process.
Also SSH != SSL, so ssh is used to start shells whereas SSL/TLS certs are used to encrypt conversations like HTTPS, IMAP4S, POP3S, etc...
2x very different tools for 2x very different tasks.
If you're only allowing access to database instances, you'll use a GRANT for this.
As serialband said, if you allow remote access to your database instance, then you'll create a GRANT + also wrap your connection with a TLS cert.
Note: Setting require_secure_transport=O
https://www.digitalocean.co
One problem might just be terminology, as various cert generation tools use various terms which may include the word privkey... which is different than an SSH private key.
The authorized keys file allows to setup a single allowed command
Mysql can be instructed to authenticate the user vased on the system account that accessed the mysql socket using the unix socket authentication plugin. That will allow thf user to connect without typing an extra password
Mysql can be instructed to authenticate the user vased on the system account that accessed the mysql socket using the unix socket authentication plugin. That will allow thf user to connect without typing an extra password
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
But does some other process also listen to port 3306?