On Fri, Oct 21, 2011 at 11:18 AM, Olaf van der Spek <[email protected]> wrote: >>> That's a recipe for disaster. >> >> It depends what you compare against. MySQL always shipped with root > > You should do what's right, not do what others do. ;) > I assume Drizzle only listens on localhost by default. > So you'd need a system account already.
My proposed configuration is safe and useful for localhost (ie developer desktop). > So you're saying that storing system account passwords in plaintext > files is a good idea? No, that's what auth-file does. That is bad. In auth_pam your password will typically be in /etc/shadow in the hashed format as it is now already. The problem is that it is sent over the wire in plaintext. This is similar to how you would login with telnet. The problem is that drizzle client doesn't support SSL connections (as MySQL does). This would be analogous to using SSH to protect your password, as well as the rest of the communication. Alternatively, PAM can work with challenge-response type of authentication too, but it seems the default configuration in linux distributions is not setup that way and nobody knows how it would work. And drizzle client would then have to support that method on its end, I'm sure it's not the same as drizzled/mysqld currently are doing. So what I'm proposing is secure on localhost (very friendly for developers and anyone testing drizzle), and would be completely secure if SSL was supported and perhaps even enforced in a default configuration. henrik -- [email protected] +358-40-8211286 skype: henrik.ingo irc: hingo www.openlife.cc My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
