How to encrypt root password in MariaDB? - encryption

I have three users in MariaDB namely root, testuser1, testuser2. I want to encrypt the passwords for all three users when connecting to MariaDB by typing the following command in the terminal,
1. mysql -u root -p
2. mysql -u testuser1 -p
3. mysql -u testuser2 -p
It asks for password. At this point, How can I supply encrypted password or make it read from any file which may contain it?
There is a requirement in my project to encrypt all passwords for MariaDB users. (I have also asked this question in connection with MySQL too).

Related

Local Worpdress website can not connect to its database

I am trying to install a Wordpress site on a local server (Ubuntu 16.04 in a docker container).
Xampp is installed and running, and I have created a database and a username with proper rights:
mysql -uroot -e "CREATE USER 'localuser'#'localhost' IDENTIFIED BY 'localpassword';";
mysql -uroot -e 'CREATE DATABASE 'localdatabase';';
mysql -uroot -e "GRANT ALL ON localdatabase.* TO 'localuser'#'localhost';";
I've also updated my wp-config.php file with the credentials above.
Still, when I try to install wordpress from there (I use wp-cli), I get the message "Error: Error establishing a database connection. This either means that the username and password information in your wp-config.php file is incorrect or we can’t contact the database server at localhost. This could mean your host’s database server is down."
I've double checked the credentials, and xampp is indeed running, so what should I check next? Could this come from a config file that is missing something?
What hostname are you using in the wp-config? Also did the commands finish succesfully? For creating the db you used apostrophes instead of quotes. You can try the mysql client directly with mysql -u -p -h .
In wp-config.php, use 127.0.0.1 instead of localhost for the database hostname.

Mapping between HDFS Daemon and Kerberos Principal and Unix Account

In my organization, to access the hadoop cluster we do the following on the Gateway:
sudo su -
cd /etc/username/
kinit some_string/instance -k -t some_string.keytab
hadoop fs -ls
This works perfectly fine, but I am trying to understand what exactly is going on.
When I do a 'whoami' obviously it shows 'root'. But any files created the above way on HDFS have the owner as 'some_string' and group as 'hdfs'. And I can neither kinit nor access HDFS as any other user. Why is this so?
Is this because: Hadoop's HDFS daemon is mapped to the kerberos principal (and that principal's ticket is only accessible to me as a root user?) And that principal is also mapped to the OS account some_string which is what i see as owner of the files on HDFS? If so where is the link defined (hadoop daemon to principal to os account)
I tried googling around a lot but could not find a definitive answer to my confusion. Even when I log in to HUE with my own user, I do not have write access to these files, which is also something I want to understand how to resolve.
Thanks.
Edit:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: some_string/instance#CLOUDERA.xxxx.CORP
Valid starting Expires Service principal
03/02/16 21:06:19 03/03/16 21:06:19 krbtgt/CLOUDERA.xxxx.CORP#CLOUDERA.xxxx.CORP
renew until 03/02/16 21:06:19
So when you are executing below command
kinit some_string/instance -k -t some_string.keytab
You are requesting for ticket of the principal which is stored in your some_string.keytab file which you can look at by using below command
klist -k some_string.keytab
It will show you output with principal name and version. Keytab files contains password as well so it dose not ask for password.
And the second question will be answer from the klist command it will show you the principal which is like user/_host#realm so in your case user is some_string, and when you get ticket of some_string user you are some_string for kerberos and your commands will be executed as some_string user so the owner of files created will be some_string.
Also you can list the tickets which you already have using klist command see below the output:
[root#myhostname ~]# klist -k some_Name.keytab
Keytab name: FILE:some_Name.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 myuser/myhostname#MYREAL.COM
Here my keytab is of myuser user and host is myhostname host.

SSH AUTHENTIFACTION ISSUE

I am a newbie to embedded networking. I want to set arm board as a ssh server .From other boards(client boards connected in the network), I need to connect to this server board.
I have downloaded the openssh and cross compiled it for arm successfully.
I have used default sshd_config file and run sshd command in arm-board.
Command
"ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N "" "
is used to genrate key.
My doubt is where can I set the username and password, so that I can login from a remote client using ssh command. I didn't find any document regarding this...?
Using ssh you are logging in as a normal system user. So you should add user using useradd command. You can change password using passwd command.

What's the syntax and prerequisite for --password-file option in rsync?

I want to store --password-file option that comes with rsync. I don't want to use ssh public_private key encryption. I have tried this command:
rsync -avz --progress --password-file=pass.txt source destination
This says:
The --password-file option may only be used when accessing an rsync daemon.
So, I tried using:
rsync -avz --progress --password-file=pass.txt source destination rsyncd --daemon
But this return various errors like unknown options. Is my sytanx correct? How do I setup rsync daemon in my Debian machine.
That is correct,
--password-file is only applicable when connecting to a rsync daemon.
You probably haven't set it in the daemon itself though, the password you set and the one you use during that call must match.
Edit /etc/rsyncd.secrets, and set the owner/group of that file to root:root with world reading permissions.
#/etc/rsyncd.secrets
root:YourSecretestPassword
To connect to a rsync daemon, use a double colon followed by the module name, and the file or folder to synchronize (instead of a colon when using SSH),
RSYNC_PASSWORD="YourSecretestPassword"; rsync -rtv user#remotehost::module/source/ destination/
NOTE:
this implies abdicating SSH encryption, though the password itself is not sent across the network in plain text, your data is ...
this is already insecure as is, never as the the same password as any of your users account.
For a better understanding of its inner workings (how to give specific IPs/processes the ability to upload to specified areas of the filesystem without the need for a user account): http://transamrit.net/docs/rsync/
After trying a while, I got this to work. Since Im copying from my live server (and routers data) to my local server in my laptop as backup user no problem with password been unencrypted, its secured wired on my laptop at home. First you need to install sshpass if Centos with yum install sshpass then create a user backup and assign a temp password. I listed the -p option in case your ssh port is different than default.
sshpass -p 'password' rsync -vaurP -e 'ssh -p 2222' backup#???.your.ip.???:/somedir/public_data/temp/ /your/localdata/temp
Understand SSH RSA is a better permanente alternative and all that, but this is a quick alternative to backup and restore on the go. It works if you are not too concern about security but more concern about your data been backup locally as in an emergency o data recovery. Your user backup password you can change it once the backup is completed. Its a lot faster to setup when your servers change IPs, users, and its in constant modifications (as routers change config and non static IPs, also when routers are not local and you are backing up clients servers locally, where you dont have always access to do SSH. Some of my clients dont even have SSH installed and they dont want to hassle with creating public keys. On some servers only where you have access on a temporary basis. By the way, if you want to do the restore, just reverse the case. Dont need change much, from the same command shell you can do it reversing the order of target and source directories, and creating another backup user with same temp password on the target. After finish, you delete the backup user or change its passwords on target and/or source servers. You can protect even further, as I have done, replacing the password for a one line file using a bash script for multi server environment. Alternative is to use the -f option so the password does not show in the bash history -f "/path/to/passwordfile" Regards
NOTE: If you want to update only modified files then you should use this parameters -h -v -r -P -t as described here https://unix.stackexchange.com/questions/67539/how-to-rsync-only-new-files
rsync -arv -e \
"sshpass -f '/your/pass.txt' ssh -o StrictHostKeyChecking=no" \
--progress /your/source id#IP:/your/destination
Maybe you have to install "sshpass" if you not.

mysql bash_profile password to be ignored

I was looking for unix bash history to give * for mysql password.
Eg: If I issue -
mysql -uroot -psecuritydemon -h192.168.90.888
then in unix prompt if I use history | grep -i mysql -> I get the password entry too.. Instead I would like to see for the history grep result as below
mysql -uroot -p*** -h192.168.90.888
Any way to achieve this?
I don't think it is possible to filter the command that is written to your history in bash. However, I would suggest you use a ~/.my.cnf configuration file as described here: http://support.modwest.com/content/6/242/en/how-do-i-create-a-mycnf-mysql-preference-file.html
. And make sure you set the permissions to go-rwx so that noone else can read your file.
Your bash history is not the biggest (or at least not the only) concern: if you run sql this way, anyone can see your password with a simple ps ax while your session is open! Instead use mysql -uroot -p without a password: then the mysql client will present a password prompt that nobody can sniff (unless they're standing over your shoulder, or have root on your computer, or something equally unpreventable).

Resources