I have a remote device that must login to mySQL database, but will not permit special characters on the username field.
When I create a new username, it appends #databasename.
So for example if I create a user called testconnection, it wont work by itself, I must use testconnection#databasename as username.
How can I create a username that is not automatically appended the database name?
This is MySQL principle, you could fin the principle in the official document:Adding User Accounts. The # is used to specify your host.
It's not the azure mysql appends #hostname, actually it's %, account uses the % wildcard for the host part, so it can be used to connect from any host.
And if you create with like this code without hostname:
CREATE USER 'new_master_user' IDENTIFIED BY 'StrongPassword!';
it will append %.I add an user with % to make the error happens.
And in MySQL workbench you could find if you set the Limit to Hosts Matching null, it will prompt Host name must not be blank. So the hostname is a required parameter.
Related
I have a request from a customer and I am quite sure the answer is no, but wondering if someone has a different answer.
Background
As you know MySQL installation create a database called "mysql" where it stores the databases we create and also the users.
In the user table, there is a field called "authentication_string" where the user password is saved.
Project
On this project each time a customer creates an account a new database user and database is created.
When a customer logs in through a web interface, the system calls an API to authenticate him/her. After that the root db user is used to connect to customer database, not their own database credentials, why? because they do not want to save user and password on database (this is a temp solution)
They want to change the application so after authentication/authorization process and they would somehow only needed root credentials to somehow get user and password from "mysql db" and then use them to create the connection using customer db credentials.
Is this possible? Or is there some mysql parent - children configuration where this scenario is possible?
Project uses MySQL 5.7
From what I can understand I think you could just use MySQL’s SET PASSWORD to set some random strong password for the user and then login using that. This way you would not store anything and it would still be pretty secure assuming your root db access is fairly isolated from the thing that’s trying to login as the user.
For example:
SET PASSWORD FOR some_user = <long-strong-randomly-generated-password-string>
Afterwards you return this <long-strong-randomly-generated-password-string> from your access-providing process and then the user process can login using that. In this case it would stay valid until the next SET PASSWORD, so keep that in mind, but depending on your use-case that might be ok.
I have just reset my root password after a long struggle. I see there are three root users in phpmyadmin. Should I delete two roots and keep only one or I need all the three?
(I am afraid of keeping three roots and changing the root password, may not allow me to enter phpmyadmin again due to multiple root ambiguity. I just wonder how three root users have been created. isn't that localhost and the local IP 127.0.0.1 refer to same local server/system? )
Thanks in Advance for any help,
First of all, there is no such thing as phpmyadmin users. These users are defined in mysql. Phpmyadmin only manages mysql databases.
As #urfusion has pointed out, in mysql a user is made up of an username and a host name part in form of 'user_name'#'host_name'. Host name refers to the computer from which the connection is made. If 2 user accounts have the same username, but different host names, then those are not the same users, even though their access rights might be the same.
The complication in mysql is that a computer may be identified through its name (e.g. mycomputer) or its IP address (e.g. 1.1.1.1), depending on whether mysql is able to resolve the IP address of the host or not. This is why mysql comes with a 'root'%'localhost' and a 'root'%'127.0.0.1', just to make sure that you can connect initially regardless if IP address resolution works or not.
If the host name is left blank or contains '%', it means that with that user id you can connect from any machine. This is the 3rd default root user in mysql.
If you do not want to connect to your mysql database from a different computer as root, then you can remove the 'root'%'%' account. This depends on your operational environment. If php (webserver) runs on the same computer where mysql is, then phpmyadmin requires a user account with localhost or 127.0.0.1 hostname only.
However, I would leave the 'root'%'localhost' and a 'root'%'127.0.0.1' intact just in case IP address resolution does not work. I would also make sure that their access rights are exactly the same (by default they are).
Phpmyadmin(actually MySql) users are identified by a pair of username and hostname. 127.0.0.1, ::1, and localhost all allow you access from your local machine. Without them, you would not be able to connect.
So I didn't recommend you to delete other users
please check users for more information.
delete root user
Need to create simple mysql-backup script.
But - how can I store encrypted pass of MySQL user in it?
I want to avoid store password in plaintext type in any additional files.
As I found in MySQL manual:
MySQL encrypts passwords stored in the user table using its own algorithm
So. there is no way to just get hash and set it as variable?
I mean:
DBHASH="cGFzc3dvcmQ="
DBPASS=`echo $DBHASH | openssl enc -base64 -d`
Is there any correct way to sovle it?
Thanks for tips.
It doesn't matter if the script contains a plaintext password or not if it includes a repeatable routine for getting into MySQL (i.e. automatically decrypting) - an attacker would just do the same. If you could pass the hash/decrypted password and have MySQL compare it would be just as repeatable (and the hash would function as a password anyway).
So, the easy answer is: You can't do this. You have some options...
Set up a correctly chmoded (600) ~/.my.cnf with the credentials.
Create a 'restricted', password-less backup-account that is only allowed to log in from localhost.
Only allow backup logins from localhost/backup host in either case.
If you're on Debian you could use the debian-sys-maint account (which has a my.cnf already set up with credentials)
Restrict the mysql account and include the password in the script plain text, but only allow given user/root to read script (if you have root you can take over mysql anyway).
Read/'source' the config variables (username/password) from an external file (with correct chmod - 600)...but you're basically doing the my.cnf-thing by then.
Remember a "backup account" does not need write privileges etc...
afaict, there's no way to do what you're looking for. Whether you store the hash or the original password, you will anyway store very sensible information that might be evil used if someone gets read access to your script.
What you may prefer, is instead setup up an user account that can't login, and setup up mysql so that user has the exact permissions for your script. And also make it so that this user is the only one having exec access to the script.
I am trying to create a host table in phpMyAdmin for user access and while there is this option below, I cannot find this table to add hosts nor any instructions to create one.
Am I missing something?
Field: Use Host Table
Description: When host table is used, this field is ignored and values stored in Host table are used instead.
Thank you in advance
As of MySQL 5.6.7 the host table is no longer included in the installation of MySQL.
https://dev.mysql.com/doc/refman/5.6/en/grant-tables.html
It used to be that you could use the host table (located at mysql.host) to define allowed hosts for a specific database. It worked something like this:
A user would try to do something (let's say INSERT).
The server would look in the mysql.user table to see if the user had global INSERT privileges.
If the user didn't have global INSERT privileges the server would then look in the mysql.db table to see if the user had DB specific privileges.
If the user had DB specific privileges and the mysql.db.Host field was empty the server would look in the mysql.host table for any hosts that matched the Db field of the mysql.db.Db field.
Assuming it found a match it would allow the INSERT.
If you want to have multiple hosts for a given user read the following:
http://dev.mysql.com/doc/refman/5.6/en/account-names.html
Since a MySQL username is actually 'name'#'host' you could always add multiple users with the same name but different hosts and give them the same privileges.
Why does phpmyadmin still include this feature?
I can only assume that it is for legacy support.
For some reason, when creating a MySQL user with empty password, it only allows connections if the user has the same name as a system user (Ubuntu Server 10.04, MySQL version 5.1.41). According to everything I have read so far, MySQL users ought to be completely separate from the system user accounts, so I'm not sure how to explain what's going on.
Am I doing something wrong? Is there some settings somewhere that affects this?
(Additional info:
I'm setting this up to only allow connections from the local network; some of the tools I'm using on a project require a user without a password.)
This seems likely to be a duplicate, though when I searched I couldn't find any previous question about this issue. If the same question HAS been asked before, I apologize.
here is something i found in mysql docs.
When you assign an account a nonempty password using SET PASSWORD, INSERT, or UPDATE, you must use the PASSWORD() function to encrypt the password, otherwise the password is stored as plaintext. Suppose that you assign a password like this:
mysql> SET PASSWORD FOR
-> 'username'#'localhost' = 'mypass';
The result is that the literal value 'mypass' is stored as the password in the user table, not the encrypted value. When user attempts to connect to the server using this password, the value is encrypted and compared to the value stored in the user table. However, the stored value is the literal string 'mypass', so the comparison fails and the server rejects the connection with an Access denied errorFirst have a user name (other than system name) with some password.
So have a user name of your choice with some passowrd and then use PASSWORD() function to set an empty password. The use of the function can be seen here.