In this primer I will show how to improve the security of your MariaDB installation by using two-step verification and how to use it from your Windows GUI client.
Let’s suppose you have your data in MariaDB, installed, say, on Ubuntu. And your users connect to it to run ad hoc queries, using some sort of a Windows GUI client. You don’t want them to write the access password on post-it notes or have it auto-entered by the client. And you don’t want anyone see the password when one of the salespersons connects to the mother ship from his laptop in the Internet café. So you decide to use the two-step verification, just like Google does, to secure the access to the data.
As you may know, since version 5.2.0 (released in April 2010) we support Pluggable Authentication. Using this feature one can implement an arbitrary user authentication and account management policy, completely replacing built-in MariaDB authentication with its username/password combination and
Also, as you might have heard, Oracle has recently released a PAM authentication plugin for MySQL. Alas, this plugin will not run on MariaDB — although the MySQL implementation of pluggable authentication is based on ours, the API is incompatible. And, being closed source, this plugin cannot be fixed to run in MariaDB. And — I’m not making it up — this plugin does not support communication between the client and the server, so even with this plugin and all the power of PAM the only possible authentication method remains a simple username/password combination.
But writing authentication plugins is easy, I said to myself. I will do my own authentication plugin! With blackjack and hookers.
If you work with bazaar, you have seen its URIs. You can find the complete list is in the bzr help urlspec. Although I commonly use only a subset of that, like bzr+ssh://bazaar.launchpad.net/~maria-captains/maria/5.2-serg/ and http://bazaar.launchpad.net/%2Bbranch/mysql-server/5.5/.
In addition I often use Launchpad aliases, such as lp:~maria-captains/maria/5.3-serg/, lp:maria/5.3, and lp:869001.
And finally, there are common abbreviations that we have used in MySQL, and others that we use in MariaDB, for example bug#12345 and wl#90.
What’s annoying, I need to remember that wl#90 corresponds to http://askmonty.org/worklog/?tid=90 and type the latter in the location bar of the browser, when I want to look this task up. And lp:869001 is, for my browser, https://bugs.launchpad.net/bugs/869001. Similarly, every other URL above, has its browser-friendly evil twin. It’s evil, because I have to remember it!
Now, Firefox tries to help, to a certain extent. It supports so-called keywords — short aliases for bookmarks. Create a bookmark for https://bugs.launchpad.net/bugs/%s and in the Keyword field enter lp. Now you can type in the location bar lp 869001 (with a space) and Firefox will expand it into a complete url https://bugs.launchpad.net/bugs/869001. Quite handy. And I’ve used it for a few years. Still it annoyed me, that I had to rewrite the abbreviations manually, put spaces, remove colons, and so on. And at last it annoyed me to a degree where I wrote a Firefox plugin!