spacekpe
commented
3 years ago If anyone stumbles on this, easiest way to revert to Debian 10 default is this SQL snippet:
ALTER USER root@localhost IDENTIFIED VIA unix_socket;Closed spacekpe closed 3 years ago
spacekpe
commented
3 years ago If anyone stumbles on this, easiest way to revert to Debian 10 default is this SQL snippet:
ALTER USER root@localhost IDENTIFIED VIA unix_socket;
stale[bot]
commented
3 years ago This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
Please read this blog post to see the reasons why I mark issues as stale.
stale[bot]
commented
3 years ago This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
Role version: 3.1.0 Environment: Debian 10, package mariadb-server-10.3 1:10.3.22-0+deb10u1 amd64
Task "Update MySQL root password for localhost root account" in tasks/secure-installation.yml breaks init scripts on Debian 10.
Debian 10 depends on unix_socket authentication in upgrade scripts, but this role by default forces password authentication for root user.
Symptoms in journal (
journalctl -u mariadb -o cat):This happens even if role user does not specify any explicit values for (mysql_root_password, mysql_user_password, mysql_root_password_update). Default values in the role will provide default value for
mysql_root_password=rootand it will set it as password whenmysql_install_packagesis true.I consider this confusing and unexpected, but most importantly it is insecure (because it silently sets weak passwords) and breaks stuff on default system installations.
I propose a different approach: Do not set root password if one is not explicitly provided in variables. That will not break Debian 10 and also will avoid setting weak passwords by default.