For anonymous users, those with user='', having a recommendation
to set their passwords, and warning that the password is the same
as the username is a little excessive since there's already a
recommendation to drop the user.
So let's remove those recommendation so we don't see:
[!!] User '@localhost' has user name as password.
[!!] User '@localhost.localdomain' has user name as password.
or:
Set up a Secure Password for @localhost user: SET PASSWORD FOR ''@'SpecificDNSorIp' = PASSWORD('secure_password');
Set up a Secure Password for @localhost.localdomain user: SET PASSWORD FOR ''@'SpecificDNSorIp' = PASSWORD('secure_password');
Lets keep the focus on:
-------- Security Recommendations ------------------------------------------------------------------
[!!] User ''@'localhost' is an anonymous account. Remove with DROP USER ''@'localhost';
[!!] User ''@'localhost.localdomain' is an anonymous account. Remove with DROP USER ''@'localhost.localdomain';
DROP USER has existed for a very long time.
Use the QUOTE sql function to ensure accounts are correctly quoted
and this helps the delete recommendation.
MySQL has auth_socket as its plugin compared to unix_socket on MariaDB
so accept that as a valid reason for having no authentication.
MySQL [(none)]> show create user dan@localhost;
+-----------------------------------------------------------------------------------------------------------------+
| CREATE USER for dan@localhost |
+-----------------------------------------------------------------------------------------------------------------+
| CREATE USER 'dan'@'localhost' IDENTIFIED WITH 'auth_socket' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK |
+-----------------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)
MySQL [(none)]> select user,host,plugin from mysql.user;
+---------------+-----------+-----------------------+
| user | host | plugin |
+---------------+-----------+-----------------------+
| root | localhost | mysql_native_password |
| mysql.session | localhost | mysql_native_password |
| mysql.sys | localhost | mysql_native_password |
| dan | localhost | auth_socket |
| expiretest | % | mysql_native_password |
| expiretest | localhost | mysql_native_password |
+---------------+-----------+-----------------------+
6 rows in set (0.001 sec)
MySQL [(none)]> select version();
+-----------+
| version() |
+-----------+
| 5.7.31 |
+-----------+
MariaDB-10.4 migrated their authentication to a global_priv table in JSON
format. Also locked user accounts where added. By default the mariadb.sys
is a locked user without a password and there as the owner of the mysql.user
view. As its hazardous for a user to modify this we exclude locked accounts
but still search for mysql_native_password plugin without authentication.
We use versioned comments to process all other versions. The 5.5+ MySQL
version comment is also read by MariaDB (ref: https://mariadb.com/kb/en/comment-syntax/
enabling the processing of plugins on other version that have plugins.
While this branch doesn't yet apply to MySQL-8.0 yet, we add support
for the locked user accounts in MySQL-8.0+ in a versioned comment
(not read by MariaDB).
Good message is
-------- InnoDB Metrics ----------------------------------------------------------------------------
[--] Skipped due to --skipsize option
