utility enables you to store authentication credentials in an encrypted login file named
The file location is the
%APPDATA%\MySQL directory on Windows and the current
user's home directory on non-Windows systems. The file can be read later by MySQL client programs to obtain
authentication credentials for connecting to MySQL Server.
To specify an alternate file name, set the
variable. This variable is used by the mysql-test-run.pl testing
utility, but also is recognized by
mysql_config_editor and by MySQL clients such as
mysql, mysqladmin, and so forth.
.mylogin.cnf file so it cannot be read as clear text, and its
contents when decrypted by client programs are used only in memory. In this way, passwords can be stored in a
file in non-cleartext format and used later without ever needing to be exposed on the command line or in an
environment variable. mysql_config_editor
The encryption used by mysql_config_editor prevents passwords from appearing in
.mylogin.cnf as clear text and provides a measure of security by preventing
inadvertent password exposure. For example, if you display a regular unencrypted
my.cnf option file on the screen, any passwords it contains are visible for
anyone to see. With
.mylogin.cnf, that is not true. But the encryption used will
not deter a determined attacker and you should not consider it unbreakable. A user who can gain system
administration privileges on your machine to access your files could decrypt the
file with some effort.
The login file must be readable and writable to the current user, and inaccessible to other users. Otherwise, mysql_config_editor
ignores it, and the file is not used by client programs, either. On Windows, this constraint does not apply;
instead, the user must have access to the
The unencrypted format of the
.mylogin.cnf login file consists of option groups,
similar to other option files. Each option group in
.mylogin.cnf is called a "login path," which is a group that permits only a
limited set of options:
password. Think of a login path as a set of values that indicate the server host
and the credentials for authenticating with the server. Here is an example:
[myloginpath]user = mynamepassword = mypasshost = 127.0.0.1
When you invoke a client program to connect to the server,
.mylogin.cnf is used in
conjunction with other option files. Its precedence is higher than other option files, but less than options
specified explicitly on the client command line. For information about the order in which option files are used,
see Section 126.96.36.199,
"Using Option Files".
mysql_config_editor like this:
program_options consists of general mysql_config_editor options.
command indicates what command to perform, and
indicates any additional options needed by the command.
The command indicates what action to perform on the
.mylogin.cnf login file. For
set writes a login path to the file,
removes a login path, and
The position of the command name within the set of program arguments is significant. For example, these command lines have the same arguments, but produce different results:
mysql_config_editor --help setmysql_config_editor set --help
The first command line displays general mysql_config_editor help, and ignores the
command. The second command line displays help for the
Suppose that you want to establish two login paths named
remote for connecting to the local MySQL server and a server on the host
remote.example.com. You want to authenticate to the local server with a user name and
localpass, and to the remote
server with a user name and password of
To set up the login paths in the
.mylogin.cnf file, use the following
set commands. Enter each command on a single line, then enter the appropriate
password when prompted.
mysql_config_editor set --login-path=local --host=localhost --user=localuser --passwordEnter password:
enter password "localpass" hereshell>
mysql_config_editor set --login-path=remote --host=remote.example.com --user=remoteuser --passwordEnter password:
enter password "remotepass" here
To see what mysql_config_editor
wrote to the
.mylogin.cnf file, use the
mysql_config_editor print --all[local]user = localuserpassword = *****host = localhost[remote]user = remoteuserpassword = *****host = remote.example.com
As shown by the preceding examples, the
.mylogin.cnf file can contain multiple
login paths. In this way, mysql_config_editor makes it easy to set up multiple "personalities" for connecting to different MySQL
servers. Any of these can be selected by name later using the
when you invoke a client program. For example, to connect to the local server, use this command:
To connect to the remote server, use this command:
When you use the
set command with mysql_config_editor to create a login path, you need not specify
all three possible option values (host name, user name, and password). Only those values given are written to
the path. Any missing values required later can be specified when you invoke a client path to connect to the
MySQL server, either in other option files or on the command line. Also, any options specified on the command
line override those in option files, including the
.mylogin.cnf file. For example,
if the credentials in the
remote login path also apply for the host
remote2.example.com, you can connect to the server on that host like this:
mysql --login-path=remote --host=remote2.example.com
.mylogin.cnf file, if it exists, is read in all cases, even when the
option is used. This permits passwords to be specified in a safer way than on the command line even if
--no-defaults is present.
This section describes the permitted mysql_config_editor commands, and the interpretation of options
that have a command-specific meaning. In addition, mysql_config_editor takes other options that can be used
with any command, such as
--verbose to produce more information as mysql_config_editor executes. This option may be helpful in
diagnosing problems if an operation does not have the effect you expect. For a list of supported options, see mysql_config_editor
mysql_config_editor supports these commands:
Display a help message and exit.
Print the contents of
.mylogin.cnf in unencrypted form. Passwords are
Remove a login path from the
remove command takes these options:
Remove the host name from the login path.
The login path to remove. If this option is not given, the default path name is
Remove the password from the login path.
Remove the TCP/IP port number from the login path.
Remove the Unix socket file name from the login path.
Remove the user name from the login path.
remove command removes from the login path only such values as are
specified with the
--user options. If none of them is given,
removes the entire login path. For example, this command removes only the
user value from the
client login path
rather than the entire
client login path:
mysql_config_editor remove --login-path=client --user
Empty the contents of the
.mylogin.cnf file. The file is created if it
does not exist.
Write a login path to the
set command takes these options:
The host name to write to the login path.
The login path to create. If this option is not given, the default path name is
Prompt for a password to write to the login path.
The TCP/IP port number to write to the login path.
The Unix socket file to write to the login path.
The user name to write to the login path.
set command writes to the login path only such values as are
specified with the
--user options. If none of those options are given, mysql_config_editor writes the login path as an
To specify an empty password, use the
set command with the
option, then press Enter at the password prompt. The resulting login path written to
.mylogin.cnf will include a line like this:
If the login path already exists in
set command replaces it. To ensure that this is what the user wants, mysql_config_editor
prints a warning and prompts for confirmation. To suppress the warning and prompt, use the
mysql_config_editor supports the following options.
|--all||Print all login paths|
|--debug[=debug_options]||Write a debugging log|
|--help||Display help message and exit|
|--host=host_name||Host to write to login file|
|--login-path=name||Login path name|
|--password||Solicit password to write to login file|
|--port=port_num||port||The TCP/IP port number to write to login file||5.7.1|
|--socket=path||socket||The Unix socket file name to write to login file||5.7.1|
|--user=user_name||User name to write to login file|
|--version||Display version information and exit|
|--warn||Warn and solicit confirmation for overwriting login path|
Display a help message and exit. If preceded by a command name such as
remove, displays information about
Write a debugging log. A typical
debug_options string is
set command, the host name to write to to the login path. For
remove command, removes the host name from the login path.
set commands, the login path to use in the
Client programs also support the
--login-path option, to enable users to
specify which login path to use for connecting to a MySQL server. For client programs,
--login-path must be the first option given, which is not true for mysql_config_editor. See Section
188.8.131.52, "Command-Line Options that Affect Option-File Handling".
set command, cause mysql_config_editor to prompt for a password and
write the value entered by the user to the login path. After mysql_config_editor starts and displays the
prompt, the user should type the password and press Enter. To prevent other users from seeing the
does not echo it.
This option does not permit a password value following the option name. That is, with mysql_config_editor,
you never enter a password on the command line where it might be seen by other users. This differs
from most other MySQL programs, which permit the password to be given on the command line as
-p. (That practice
is insecure and should be avoided, however.)
remove command, removes the password from the login path.
set command, the TCP/IP port number to write to the login path.
remove command, removes the port number from the login path.
set command, the Unix socket file name to write to the login
path. For the
remove command, removes the socket file from the login
set command, the user name to write to the login path. For the
remove command, removes the user name from the login path.
Verbose mode. Print more information about what the program does.
Display version information and exit.
set command, warn and prompt the user for confirmation if the
command attempts to overwrite an existing login path. This option is enabled by default; use
to disable it.