This program enables you to improve the security of your MySQL installation in the following ways:此程序使您能够通过以下方式提高MySQL安装的安全性:
You can set a password for 您可以为root
accounts.root
帐户设置密码。
You can remove 您可以删除可从本地主机外部访问的root
accounts that are accessible from outside the local host.root
帐户。
You can remove anonymous-user accounts.您可以删除匿名用户帐户。
You can remove the 您可以删除test
database (which by default can be accessed by all users, even anonymous users), and privileges that permit anyone to access databases with names that start with test_
.test
数据库(默认情况下,所有用户,甚至匿名用户都可以访问该数据库),以及允许任何人访问名称以test_
开头的数据库的权限。
mysql_secure_installation helps you implement security recommendations similar to those described at Section 2.10.4, “Securing the Initial MySQL Account”.mysql_secure_installation可帮助您实现类似于第2.10.4节,“保护初始mysql帐户”中所述的安全建议。
Normal usage is to connect to the local MySQL server; invoke mysql_secure_installation without arguments:正常用法是连接到本地MySQL服务器;不带参数调用mysql_secure_installation:
mysql_secure_installation
When executed, mysql_secure_installation prompts you to determine which actions to perform.执行时,mysql_secure_installation会提示您确定要执行哪些操作。
The validate_password
component can be used for password strength checking. validate_password
组件可用于密码强度检查。If the plugin is not installed, mysql_secure_installation prompts the user whether to install it. Any passwords entered later are checked using the plugin if it is enabled.如果未安装插件,mysql_secure_installation会提示用户是否安装。如果启用了插件,则会使用插件检查稍后输入的任何密码。
Most of the usual MySQL client options such as 大多数常见的MySQL客户端选项,如--host
and --port
can be used on the command line and in option files. For example, to connect to the local server over IPv6 using port 3307, use this command:--host
和--port
,都可以在命令行和选项文件中使用。例如,要使用端口3307通过IPv6连接到本地服务器,请使用以下命令:
mysql_secure_installation --host=::1 --port=3307
mysql_secure_installation supports the following options, which can be specified on the command line or in the mysql_secure_installation支持以下选项,可以在命令行或选项文件的[mysql_secure_installation]
and [client]
groups of an option file. For information about option files used by MySQL programs, see Section 4.2.2.2, “Using Option Files”.[mysql_secure_installation]
和[client]
组中指定。有关MySQL程序使用的选项文件的信息,请参阅第4.2.2.2节,“使用选项文件”。
Table 4.8 mysql_secure_installation Options选项
--defaults-extra-file | ||
---|---|---|
--defaults-file | ||
--defaults-group-suffix | ||
--help | ||
--host | ||
--no-defaults | ||
--password | ||
--port | ||
--print-defaults | ||
--protocol | ||
--socket | ||
--ssl-ca | ||
--ssl-capath | ||
--ssl-cert | ||
--ssl-cipher | ||
--ssl-crl | ||
--ssl-crlpath | ||
--ssl-fips-mode | ||
--ssl-key | ||
--tls-ciphersuites | 8.0.16 | |
--tls-version | ||
--use-default | ||
--user |
--help
, -?
Display a help message and exit.显示帮助消息并退出。
--defaults-extra-file=
file_name
Read this option file after the global option file but (on Unix) before the user option file. 在全局选项文件之后读取此选项文件,但(在Unix上)在用户选项文件之前读取。If the file does not exist or is otherwise inaccessible, an error occurs. If 如果文件不存在或无法访问,则会发生错误。如果file_name
is not an absolute path name, it is interpreted relative to the current directory.file_name
不是绝对路径名,则会相对于当前目录进行解释。
For additional information about this and other option-file options, see Section 4.2.2.3, “Command-Line Options that Affect Option-File Handling”.有关此选项和其他选项文件选项的更多信息,请参阅第4.2.2.3节,“影响选项文件处理的命令行选项”。
Use only the given option file. If the file does not exist or is otherwise inaccessible, an error occurs. If 仅使用给定的选项文件。如果文件不存在或无法访问,则会发生错误。如果file_name
is not an absolute path name, it is interpreted relative to the current directory.file_name
不是绝对路径名,则会相对于当前目录进行解释。
For additional information about this and other option-file options, see Section 4.2.2.3, “Command-Line Options that Affect Option-File Handling”.有关此选项和其他选项文件选项的更多信息,请参阅第4.2.2.3节,“影响选项文件处理的命令行选项”。
Read not only the usual option groups, but also groups with the usual names and a suffix of 不仅要读取常用的选项组,还要读取具有常用名称和后缀str
. str
的组。For example, mysql_secure_installation normally reads the 例如,mysql_secure_installation通常读取[client]
and [mysql_secure_installation]
groups. [client]
和[mysql_secure_installation]
组。If this option is given as 如果将此选项设置为--defaults-group-suffix=_other
, mysql_secure_installation also reads the [client_other]
and [mysql_secure_installation_other]
groups.--defaults-group-suffix=_other
,mysql_secure_installation也会读取[client_other]
和[mysql_secure_installation_other]
组。
For additional information about this and other option-file options, see Section 4.2.2.3, “Command-Line Options that Affect Option-File Handling”.有关此选项和其他选项文件选项的更多信息,请参阅第4.2.2.3节,“影响选项文件处理的命令行选项”。
--host=
, host_name
-h
host_name
Connect to the MySQL server on the given host.连接到给定主机上的MySQL服务器。
Do not read any option files. If program startup fails due to reading unknown options from an option file, 不要读取任何选项文件。如果程序启动因从选项文件中读取未知选项而失败,则使用--no-defaults
can be used to prevent them from being read.--no-defaults
来阻止读取它们。
The exception is that the 例外的是,.mylogin.cnf
file is read in all cases, if it exists. .mylogin.cnf
文件在所有情况下都会被读取(如果存在的话)。This permits passwords to be specified in a safer way than on the command line even when 这允许以比命令行更安全的方式指定密码,即使使用--no-defaults
is used. --no-defaults
。To create 要创建.mylogin.cnf
, use the mysql_config_editor utility. .mylogin.cnf
,请使用mysql_config_editor
实用程序。See Section 4.6.7, “mysql_config_editor — MySQL Configuration Utility”.请参阅第4.6.7节,“mysql_config编辑器--mysql配置实用程序”。
For additional information about this and other option-file options, see Section 4.2.2.3, “Command-Line Options that Affect Option-File Handling”.有关此选项和其他选项文件选项的更多信息,请参阅第4.2.2.3节,“影响选项文件处理的命令行选项”。
--password=
, password
-p
password
This option is accepted but ignored. 此选项被接受但被忽略。Whether or not this option is used, mysql_secure_installation always prompts the user for a password.无论是否使用此选项,mysql_secure_installation都会始终提示用户输入密码。
--port=
, port_num
-P
port_num
For TCP/IP connections, the port number to use.对于TCP/IP连接,要使用的端口号。
Print the program name and all options that it gets from option files.打印程序名称及其从选项文件中获取的所有选项。
For additional information about this and other option-file options, see Section 4.2.2.3, “Command-Line Options that Affect Option-File Handling”.有关此选项和其他选项文件选项的更多信息,请参阅第4.2.2.3节,“影响选项文件处理的命令行选项”。
--protocol={TCP|SOCKET|PIPE|MEMORY}
The transport protocol to use for connecting to the server. It is useful when the other connection parameters normally result in use of a protocol other than the one you want. 用于连接到服务器的传输协议。当其他连接参数通常导致使用与您想要的协议不同的协议时,它很有用。For details on the permissible values, see Section 4.2.7, “Connection Transport Protocols”.有关允许值的详细信息,请参阅第4.2.7节,“连接传输协议”。
--socket=
, path
-S
path
For connections to 对于与localhost的连接,使用Unix套接字文件,或者在Windows上,使用命名管道的名称。localhost
, the Unix socket file to use, or, on Windows, the name of the named pipe to use.
On Windows, this option applies only if the server was started with the 在Windows上,此选项仅在服务器启动时启用了named_pipe
system variable enabled to support named-pipe connections. named_pipe
系统变量以支持命名管道连接时适用。In addition, the the connection must be a member of the Windows group specified by the 此外,连接必须是named_pipe_full_access_group
system variable.named_pipe_full_access_group
系统变量指定的Windows组的成员。
Options that begin with 以--ssl开头的选项指定是否使用加密连接到服务器,并指示在哪里查找ssl密钥和证书。请参阅加密连接的命令选项。--ssl
specify whether to connect to the server using encryption and indicate where to find SSL keys and certificates. See Command Options for Encrypted Connections.
--ssl-fips-mode={OFF|ON|STRICT}
Controls whether to enable FIPS mode on the client side. 控制是否在客户端启用FIPS模式。The --ssl-fips-mode
option differs from other --ssl-
options in that it is not used to establish encrypted connections, but rather to affect which cryptographic operations to permit. xxx
--ssl-fips-mode
选项与其他--ssl-xxx
选项的不同之处在于,它不用于建立加密连接,而是影响允许的加密操作。See Section 6.8, “FIPS Support”.请参阅第6.8节,“FIPS支持”。
These 允许使用以下--ssl-fips-mode
values are permitted:--ssl-fips-mode
值:
OFF
: Disable FIPS mode.:禁用FIPS模式。
ON
: Enable FIPS mode.:启用FIPS模式。
STRICT
: Enable “strict” FIPS mode.:启用“严格”FIPS模式。
If the OpenSSL FIPS Object Module is not available, the only permitted value for 如果OpenSSL FIPS对象模块不可用,则--ssl-fips-mode
is OFF
. --ssl-fips-mode
的唯一允许值为OFF
。In this case, setting 在这种情况下,将--ssl-fips-mode
to ON
or STRICT
causes the client to produce a warning at startup and to operate in non-FIPS mode.--ssl-fips-mode
设置为ON
或STRICT
会导致客户端在启动时产生警告,并在非fips模式下运行。
--tls-ciphersuites=
ciphersuite_list
The permissible ciphersuites for encrypted connections that use TLSv1.3. The value is a list of one or more colon-separated ciphersuite names. 允许的密码适用于使用TLSv1.3的加密连接。该值是一个或多个冒号分隔的密码套件名称的列表。The ciphersuites that can be named for this option depend on the SSL library used to compile MySQL. 可以为此选项命名的密码套件取决于用于编译MySQL的SSL库。For details, see Section 6.3.2, “Encrypted Connection TLS Protocols and Ciphers”.有关详细信息,请参阅第6.3.2节,“加密连接TLS协议和密码”。
This option was added in MySQL 8.0.16.此选项是在MySQL 8.0.16中添加的。
The permissible TLS protocols for encrypted connections. The value is a list of one or more comma-separated protocol names. 加密连接的允许TLS协议。该值是一个或多个逗号分隔的协议名称的列表。The protocols that can be named for this option depend on the SSL library used to compile MySQL. 可以为此选项命名的协议取决于用于编译MySQL的SSL库。For details, see Section 6.3.2, “Encrypted Connection TLS Protocols and Ciphers”.有关详细信息,请参阅第6.3.2节,“加密连接TLS协议和密码”。
Execute noninteractively. This option can be used for unattended installation operations.非交互式执行。此选项可用于无人值守的安装操作。
--user=
, user_name
-u
user_name
The user name of the MySQL account to use for connecting to the server.用于连接到服务器的MySQL帐户的用户名。