MySQL users should use the following guidelines to keep passwords secure.MySQL用户应该使用以下准则来保护密码的安全。
When you run a client program to connect to the MySQL server, it is inadvisable to specify your password in a way that exposes it to discovery by other users. The methods you can use to specify your password when you run client programs are listed here, along with an assessment of the risks of each method. 当你运行一个客户端程序连接到MySQL服务器时,不建议以一种让其他用户发现的方式指定你的密码。此处列出了运行客户端程序时可用于指定密码的方法,以及每种方法的风险评估。In short, the safest methods are to have the client program prompt for the password or to specify the password in a properly protected option file.简而言之,最安全的方法是让客户端程序提示输入密码,或者在受适当保护的选项文件中指定密码。
Use the mysql_config_editor utility, which enables you to store authentication credentials in an encrypted login path file named 使用mysql_config_editor实用程序,它使您能够将身份验证凭据存储在名为.mylogin.cnf. .mylogin.cnf的加密登录路径文件中。The file can be read later by MySQL client programs to obtain authentication credentials for connecting to MySQL Server. MySQL客户端程序稍后可以读取该文件,以获取连接到MySQL服务器的身份验证凭据。See Section 4.6.7, “mysql_config_editor — MySQL Configuration Utility”.请参阅第4.6.7节,“mysql_config编辑器--mysql配置实用程序”。
Use a 在命令行中使用--password= or password-p option on the command line. For example:password--password=password或-ppassword选项。例如:
shell> mysql -u francis -pfrank db_name
This is convenient but insecure. On some systems, your password becomes visible to system status programs such as ps that may be invoked by other users to display command lines. 这很方便,但不安全。在某些系统中,您的密码对系统状态程序(如ps)可见,这些程序可能会被其他用户调用以显示命令行。MySQL clients typically overwrite the command-line password argument with zeros during their initialization sequence. However, there is still a brief interval during which the value is visible. MySQL客户端在初始化过程中通常会用零覆盖命令行密码参数。但是,仍然有一个短暂的间隔,在此期间该值是可见的。Also, on some systems this overwriting strategy is ineffective and the password remains visible to ps. (SystemV Unix systems and perhaps others are subject to this problem.)此外,在某些系统上,这种覆盖策略无效,密码对ps仍然可见。(SystemV Unix系统和其他系统可能都会遇到这个问题。)
If your operating environment is set up to display your current command in the title bar of your terminal window, the password remains visible as long as the command is running, even if the command has scrolled out of view in the window content area.如果您的操作环境设置为在终端窗口的标题栏中显示当前命令,则只要命令正在运行,密码就会保持可见,即使命令在窗口内容区域中滚动到视图之外。
Use the 在命令行上使用--password or -p option on the command line with no password value specified. In this case, the client program solicits the password interactively:--password或-p选项,不指定密码值。在这种情况下,客户端程序以交互方式请求密码:
shell> mysql -u francis -p db_name
Enter password: ********
The * characters indicate where you enter your password. The password is not displayed as you enter it.*字符表示您输入密码的位置。输入密码时不会显示密码。
It is more secure to enter your password this way than to specify it on the command line because it is not visible to other users. However, this method of entering a password is suitable only for programs that you run interactively. 以这种方式输入密码比在命令行上指定密码更安全,因为其他用户看不到密码。但是,这种输入密码的方法仅适用于交互式运行的程序。If you want to invoke a client from a script that runs noninteractively, there is no opportunity to enter the password from the keyboard. On some systems, you may even find that the first line of your script is read and interpreted (incorrectly) as your password.如果您想从非交互式运行的脚本中调用客户端,则无法从键盘输入密码。在某些系统中,您甚至可能会发现脚本的第一行被读取并(错误地)解释为您的密码。
Store your password in an option file. For example, on Unix, you can list your password in the 将密码存储在选项文件中。例如,在Unix上,您可以在主目录中的[client] section of the .my.cnf file in your home directory:.my.cnf文件的[client]部分列出密码:
[client]
password=password
To keep the password safe, the file should not be accessible to anyone but yourself. To ensure this, set the file access mode to 为了保护密码的安全,除了你自己,任何人都不能访问该文件。为确保这一点,请将文件访问模式设置为400 or 600. For example:400或600。例如:
shell> chmod 600 .my.cnf
To name from the command line a specific option file containing the password, use the 要从命令行命名包含密码的特定选项文件,请使用--defaults-file= option, where file_namefile_name is the full path name to the file. For example:--defaults-file=file_name选项,其中file_name是文件的完整路径名。例如:
shell> mysql --defaults-file=/home/francis/mysql-opts
Section 4.2.2.2, “Using Option Files”, discusses option files in more detail.第4.2.2.2节,“使用选项文件”更详细地讨论了选项文件。
On Unix, the mysql client writes a record of executed statements to a history file (see Section 4.5.1.3, “mysql Client Logging”). 在Unix上,mysql客户端将执行语句的记录写入历史文件(参阅第4.5.1.3节,“mysql客户端日志记录”)。By default, this file is named 默认情况下,此文件名为.mysql_history and is created in your home directory. .mysql_history,在您的主目录中创建。Passwords can be written as plain text in SQL statements such as 密码可以在SQL语句(如CREATE USER and ALTER USER, so if you use these statements, they are logged in the history file. CREATE USER和ALTER USER)中以纯文本形式编写,因此如果您使用这些语句,它们将记录在历史文件中。To keep this file safe, use a restrictive access mode, the same way as described earlier for the 为了保护此文件的安全,请使用限制访问模式,与前面对.my.cnf file..my.cnf文件所述的方式相同。
If your command interpreter maintains a history, any file in which the commands are saved contains MySQL passwords entered on the command line. 如果您的命令解释器维护历史记录,则保存命令的任何文件都包含在命令行上输入的MySQL密码。For example, bash uses 例如,bash使用~/.bash_history. Any such file should have a restrictive access mode.~/.bash_history。任何此类文件都应该具有限制访问模式。