Bug #91427 Authentication by public key / SSL certificate
Submitted: 26 Jun 2018 18:06 Modified: 30 Sep 2020 13:04
Reporter: Marten Lehmann Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server Severity:S4 (Feature request)
Version:8.0.11 OS:Any
Assigned to: CPU Architecture:Any

[26 Jun 2018 18:06] Marten Lehmann
Description:
I would like to log in to a MySQL database by public-key cryptography (like SSH keys or TLS certificates), because

- it allows a higher level of security than passwords
- it simplifies management of permissions
- it allows to tie a matching pair of public and private key to a specific developer / configuration management / deployment account rather than managing dozens of sets of username and password
- it allows to easily grant and revoke temporary access to objects without transmitting credentials

In short: I'd like to see something like OpenSSH's .authorized_keys mechanism in MySQL.

While I switched to using SSH keys rather than credentials in pretty much every situation involving remote servers, I'm astounded that after using MySQL for two decades, nothing similar exists here.

Why tunneling through SSH is not an option:

At a typical setup of web hosting or cloud providers, you really don't want database users to have local access to the servers. This would simply introduce another vector of possible attacks and makes management more complicate. It also doesn't allow multiplexing through MySQL proxy servers.

Why the current TLS options are not an option:

The key thing in .authorized_keys is, that it allows pretty much every public key, no matter who created it and which setup or server was used. While MySQL allows GRANT ... REQUIRE X509 (see "tls_option" at https://dev.mysql.com/doc/refman/8.0/en/create-user.html), it's nearly impossible to pin a specific certificate. You would need to aggregate REQUIRE SUBJECT AND ISSUER and include this issuer in your chain of trusted CAs, which is hard if you want to allow self-signed certificates. Even then, this would just be an additional layer to the standard authentication, not replacing it.

How to repeat:
-

Suggested fix:
I'm suggesting to add a standard option like

GRANT ... IDENTIFIED WITH tls_certificate BY tls_fingerprint('sha256', '<fingerprint>')

You can easily find out the fingerprint of a certificate by issuing the following command:

openssl x509 -in public_key.pem -noout -fingerprint -sha256

This would grant users access based on their TLS certificate's SHA-256 fingerprint, no matter which subject it contains and by whom it what issued. Just the way you can for example manage your personal SSH and PGP keys at a service like GitHub, you could manage your TLS certificates and simplify deployment on many servers.
[30 Sep 2020 13:04] MySQL Verification Team
HI Mr. Lehmann,

Thank you for your feature request.

However, we do not plan to implement it in the near future.