mysql bash_profile password to be ignored - unix

I was looking for unix bash history to give * for mysql password.
Eg: If I issue -
mysql -uroot -psecuritydemon -h192.168.90.888
then in unix prompt if I use history | grep -i mysql -> I get the password entry too.. Instead I would like to see for the history grep result as below
mysql -uroot -p*** -h192.168.90.888
Any way to achieve this?

I don't think it is possible to filter the command that is written to your history in bash. However, I would suggest you use a ~/.my.cnf configuration file as described here: http://support.modwest.com/content/6/242/en/how-do-i-create-a-mycnf-mysql-preference-file.html
. And make sure you set the permissions to go-rwx so that noone else can read your file.

Your bash history is not the biggest (or at least not the only) concern: if you run sql this way, anyone can see your password with a simple ps ax while your session is open! Instead use mysql -uroot -p without a password: then the mysql client will present a password prompt that nobody can sniff (unless they're standing over your shoulder, or have root on your computer, or something equally unpreventable).

Related

How do i use ldapmodify for the first time when i do not know any user or password for authentication?

I am unable to apply changes using ldapmodify for the first time after installing openldap on my rhel7 server.
I have installed openldap from the scratch. Now i want to modify the olcDatabase={2}hdb.ldif to put my own olcSuffix,olcRootDN and olcRootPW.
I have generated the encrypted password with ldappasswd and put that along with other two parameters to .ldif file.
Now when, i try to apply these changes to my ldap setup using following command
ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
i get the error as
ldap_sasl_interactive_bind_s: Local error (-2)
further if i wish to use -D to bind with the default user -D "cn=Manager,dc=my-domain,dc=com" it needs a password. i do not know what username password combination i should use to run my first ever ldapmodify on this newly installed openldap.
Your help is much appreciated.
Best regards,
Amit Joshi
You're hitting an OpenLDAP bug (see ITS#8998).
The solution is to either
unset option SASL_NOCANON in ldap.conf or
specify the full path in the LDAPI URI (with URL-quoting of slashes).
The first option might be easier but might affect binding with SASL/GSSAPI (Kerberos).

how to add commands in .ssh/authorized_keys

I read on man sshd one can add post-login processing when a user logs in using a particular key:
environment="FOO=BAR" ssh-rsa AAA... keytag
But when I try to ssh into the system, the target host does not register the line and instead asks for a password. What is the right way of adding this? I would like to do something like
command="echo|mail -s ${USER},${HOSTNAME} a.monitored.email#example.com" ssh-rsa AAA... keytag
I am using Suse SLE 11 SP2.
Thanks
Dinesh
First, according to the documentation command = "command":
That specifies the command is executed Whenever This key is used for authentication. The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; Otherwise it is run without a tty. If an 8-bit clean channel is required, one must not request a pty or specify no-pty Should. A quote May be included in the command by quoting it with a backslash. This option might be useful to restrict Un certain public keys to perform just a specific operation. An example might be a key That Permits remote backups but nothing else. Note That May specify the client TCP and / or X11 forwarding Explicitly UNLESS they 'are prohibited. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Note That This option Applies to shell, command or subsystem execution. Also note This command That May be superseded by Either a sshd_config (5) ForceCommand directive or a command embedded in a certificate.
Using this option, it is possible to enforce execution of a given command when this key is used for authentication and no other.This is not what you're looking for.
To run a command after login you can add in the file ~/bashrc something like this:
if [[ -n $SSH_CONNECTION ]] ; then
echo|mail -s ${USER},${HOSTNAME} a.monitored.email#example.com"
fi
Second, you need to verify the permissions of the authorized_keys file and the folder / parent folders in which it is located.
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
For more information see: https://www.complang.tuwien.ac.at/doc/openssh-server/faq.html#3.14

history expansion by complete first word

Consider that I've successfully run these two commands in this order (but perhaps many commands ago):
~% ssh localhost echo
~% sshfs localhost:/ /media/copy-of-root
Now I would like to rerun the ssh command. My first instinct is to use !ssh, but this will match the sshfs command instead.
Is there a version of history expansion which will match entire first words instead of prefixes of commands? If not, is there some other robust way to choose the ssh command over the sshfs one?
well, if you search for ssh (with a trailing space) it will find it. IMO the best alternative is to bind up and down to up-line-or-search and down-line-or-search.
bindkey '^[[A' up-line-or-search # check the exact code for your UP key...
Then you would just use:
% ssh [UP]
which would search for ssh in your history. If that is not the history instance you want, just keep searching (i.e. hitting "UP").

What's the syntax and prerequisite for --password-file option in rsync?

I want to store --password-file option that comes with rsync. I don't want to use ssh public_private key encryption. I have tried this command:
rsync -avz --progress --password-file=pass.txt source destination
This says:
The --password-file option may only be used when accessing an rsync daemon.
So, I tried using:
rsync -avz --progress --password-file=pass.txt source destination rsyncd --daemon
But this return various errors like unknown options. Is my sytanx correct? How do I setup rsync daemon in my Debian machine.
That is correct,
--password-file is only applicable when connecting to a rsync daemon.
You probably haven't set it in the daemon itself though, the password you set and the one you use during that call must match.
Edit /etc/rsyncd.secrets, and set the owner/group of that file to root:root with world reading permissions.
#/etc/rsyncd.secrets
root:YourSecretestPassword
To connect to a rsync daemon, use a double colon followed by the module name, and the file or folder to synchronize (instead of a colon when using SSH),
RSYNC_PASSWORD="YourSecretestPassword"; rsync -rtv user#remotehost::module/source/ destination/
NOTE:
this implies abdicating SSH encryption, though the password itself is not sent across the network in plain text, your data is ...
this is already insecure as is, never as the the same password as any of your users account.
For a better understanding of its inner workings (how to give specific IPs/processes the ability to upload to specified areas of the filesystem without the need for a user account): http://transamrit.net/docs/rsync/
After trying a while, I got this to work. Since Im copying from my live server (and routers data) to my local server in my laptop as backup user no problem with password been unencrypted, its secured wired on my laptop at home. First you need to install sshpass if Centos with yum install sshpass then create a user backup and assign a temp password. I listed the -p option in case your ssh port is different than default.
sshpass -p 'password' rsync -vaurP -e 'ssh -p 2222' backup#???.your.ip.???:/somedir/public_data/temp/ /your/localdata/temp
Understand SSH RSA is a better permanente alternative and all that, but this is a quick alternative to backup and restore on the go. It works if you are not too concern about security but more concern about your data been backup locally as in an emergency o data recovery. Your user backup password you can change it once the backup is completed. Its a lot faster to setup when your servers change IPs, users, and its in constant modifications (as routers change config and non static IPs, also when routers are not local and you are backing up clients servers locally, where you dont have always access to do SSH. Some of my clients dont even have SSH installed and they dont want to hassle with creating public keys. On some servers only where you have access on a temporary basis. By the way, if you want to do the restore, just reverse the case. Dont need change much, from the same command shell you can do it reversing the order of target and source directories, and creating another backup user with same temp password on the target. After finish, you delete the backup user or change its passwords on target and/or source servers. You can protect even further, as I have done, replacing the password for a one line file using a bash script for multi server environment. Alternative is to use the -f option so the password does not show in the bash history -f "/path/to/passwordfile" Regards
NOTE: If you want to update only modified files then you should use this parameters -h -v -r -P -t as described here https://unix.stackexchange.com/questions/67539/how-to-rsync-only-new-files
rsync -arv -e \
"sshpass -f '/your/pass.txt' ssh -o StrictHostKeyChecking=no" \
--progress /your/source id#IP:/your/destination
Maybe you have to install "sshpass" if you not.

Can I include a password in my rsync call?

I use rsync to update my static website. I currently cd to the local website directory, and run the rsync command, and then enter the password in the next line. I've saved my rsync call into a text snippet (such that _rs just expands to my call). Is there way to use something like a -p flag at the end and include the password too?
My call looks like this:
rsync -avzh -e ssh * foo#foo.org:"/home/foo/public_html/"
Answering this with a direct answer to the question, may be useful in less secure scenarios.
#!/usr/bin/expect -f
set PASSPH "123456"
send_user "\n"
stty -echo
spawn rsync -apv -e ssh "/Volumes/Macintosh HD/Users/charliechaplin/test/" "charly#chaplin.com:/project/htdocs/site/"
expect "password:"
send "$PASSPH\n"
expect "#"
One of option is use public/private key pair, see How to auto rsync with ssh passwordless
Or you can try use Expect

Resources