Database Reference
In-Depth Information
If the value is 0, enable the variable by starting the server with the value set to 1.
For example, use these lines in an option file:
[mysqld]
secure_auth=1
At this point, accounts that use pre-4.1 password hashes can no longer connect.
23.10. Finding and Removing Anonymous Accounts
Problem
You want to ensure that your MySQL server can be used only by accounts associated
with specific usernames.
Solution
Identify and remove anonymous accounts.
Discussion
An “anonymous” account is one that has an empty user part in the account name, such
as
''@'localhost'
. An empty user matches any name because the purpose of an
anonymous account is to permit anyone who knows its password to connect from the
named host (
localhost
in this case). This is a convenience because the DBA need not
set up individual accounts for separate users. But there are security implications as well:
• Such accounts often are given no password, enabling their use with no authenti‐
cation at all.
• You cannot associate database activity with specific users (for example, by checking
the server query log or examining
SHOW
PROCESSLIST
output), making it more dif‐
ficult to tell who is doing what.
If the preceding points persuade you that anonymous accounts are not a good thing,
use the following instructions to identify and remove them:
1. The
User
column is empty in the
mysql.user
rows for anonymous accounts, so
you can identify them like this:
mysql>
SELECT User, Host FROM mysql.user WHERE User = '';
+------+---------------+
| User | Host |
+------+---------------+
| | %.example.com |
| | localhost |
+------+---------------+
