Is there any way to restrict access to phpmyadmin without adding a password to root (keeping root password as null). May be using Apache configuration files or other method?
As you enter username and password in phpmyadmin authentication screen, phpmyadmin directly try to access database from given username and passwords like
$conn = new mysqli(localhost, $username, $password);
If mysql returns any Databased associate with this user than phpmyadmin show complete information about this database.
So by default it's not possible to access phpmyadmin using root password null.
But still there are two option
Create new Mysql user with all database access privilege keeping your root password null
Phpmyadmin is open-source so make changes as per your need.
Sure, you can accomplish this with the normal Apache .htaccess authentication.
For instance, your .htaccess can contain:
AuthUserFile /home/Sanjay/.htpasswd-phpmyadmin
AuthName "My custom phpMyAdmin authentication"
AuthType Basic
Require valid-user
Then you just have to create the file /home/Sanjay/.htpasswd-phpmyadmin (you can use whatever path you wish here, in fact it may not be ideal to put it under your user home directory) using the htpasswd command-line program or one of the many online tools. Make sure both files are readable by the webserver and you should be all set.
Related
I'm able to login on phpMyAdmin with a root user and other users, even though I have restricted login to localhost. How can I fix this problem and restrict access to only one specified user remotely. Every other user account shouldn't be accessible remotely, especially root.
phpMyAdmin user accounts
As #Matt Clark points out, the MySQL user privileges consider the connection between MySQL and the web server. In order to restrict users from connecting to phpMyAdmin, you'll have to either configure your webserver to be more restrictive or use some of the protections included with phpMyAdmin.
Luuk mentioned that the AllowRoot directive can allow you to restrict root from connecting, but you might want to look at the allow/deny rules instead (or in addition): https://docs.phpmyadmin.net/en/latest/config.html#cfg_Servers_AllowDeny_rules. These go in your phpMyAdmin configuration file, config.inc.php, in the server-specific section. If you don't already have a config.inc.php file, you can create one in the same directory as the main phpMyAdmin installation, with this content, then put any additional directives at the end.
<?php
$i=0;
$i++;
If you'll always connect from the same IP address or range, something like this might be to your liking, adjusted of course for the proper username and addresses:
$cfg['Servers'][$i]['AllowDeny']['order'] = 'allow,deny';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array('allow jan from 192.168.74.[0-255]');
Or, to allow access from any IP address,
$cfg['Servers'][$i]['AllowDeny']['order'] = 'allow,deny';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array('allow jan from any');
By the way, as two other common security measures, phpMyAdmin also has support for two-factor authentication and can log failed login attempts such that a tool like fail2ban can be used.
I just discovered that in the file
/etc/dbconfig-common/phpmyadmin.conf
My database admin password is written in clear-text with no encryption.
How can I change that? I noticed online that many people are happy with this. Although I noticed that only root can see the content of this file (its permission is 600), I still would prefer not having clear passwords.
What do you suggest?
If you require any additional information, please ask.
If you are just looking for a solution for phpmyadmin, you could change it to cookie based authentication. then create .htaccess file with db username and password where pasword is stored in encrypted password file. on first call of page you will have to login once with user and password and then a cookie is stored locally so on next call you are straight in again.
procedure also described here (but for windows):
http://robsnotebook.com/xampp-builtin-security
about creating htaccess user:
http://httpd.apache.org/docs/2.2/programs/htpasswd.html
I want to restore an owncloud installation by restoring the database and all web files.My problem is, that I used the root user for the mysql database and owncloud created another user called oc-michael (my account name is michael). Now I need the password of this user to be able to create a user with this password.
Or how can I do this?
The password of the MySQL user oc-michael is written in your /config/config.php at the 'dbpassword' variable.
Hint: Please note that this looks like a hash but its just a very long plaintext password which was auto-generated.
Good Day
I am a front-end developer, and I know little from MySQL and databases.
I have a Wordpress MySQL database in CPanel. Now I forgot my password, and the password for my user as seen in phpmyadmin is hashed/encrypted.
How do I get the password?
NOTE: I do not have access to the Server since this is a website on a shared hosting account, so doing the following is not possible for me:
See this post on Stack
Stop the MySQL process.
Start the MySQL process with the --skip-grant-tables option.
Start the MySQL console client with the -u root option.
List all the users;
SELECT * FROM mysql.user;
Reset password;
UPDATE mysql.user SET Password=PASSWORD('[password]') WHERE User='[username]';
But DO NOT FORGET to
Stop the MySQL process
Start the MySQL Process normally (i.e. without the --skip-grant-tables option)
when you are finished. Otherwise, your database's security could be compromised.
If your website is working you can probably find the mysql user/password
in the config.php file in your wordpress filesystem.
Otherwise:
Your best option is probably to add a user to the database and give it the needed privileges, to do that:
Click MySQL databases.
Create new user.
Assign new user to your database.
Edit config.php on your wordpress filesystem and change to the new username.
This is sub optimal, but will work.
There is a simple way for you to gain access to your WordPress user info if you don't know the password. I'm assuming you are talking about a WordPress user password retrieval. You need to have access and edit privileges to your database to do this.
-Open up phpMyAdmin or however you prefer to access database tables
-Select your database
-Open the table wp_users
-Under the column 'user_login' you will need to find which entry you want to access. Your username should be in one of the row entries.
-Once found, there will be a 'user_pass' column as well. Now some explaining needs to happen. You cannot retrieve your password without hacking/brute forcing that encryption. These are MD5 hash encrypted passwords. What we are going to do is just simply create a new password here. All you have to do is Google "MD5 Hash generator". I tested this on the first result I found and it worked.
-Once you find a website with a generator just simply type in your password and then retrieve the hash that's given to you. For example I typed in 'password' and I receive '5f4dcc3b5aa765d61d8327deb882cf99' Now we have a new encrypted password to set. If you are worried about sites saving your password entries or hashes just make up a password as a temporary fix. Then you can just login with that and change the password via the WordPress Dashboard later.
-Select the row that your username is in. Click Change/Edit then just copy and paste the entire MD5 Hash into the wp_pass column.(Overwrite the old password btw.) Save/Go/Execute to make sure the table was re-written. In this example I would be pasting '5f4dcc3b5aa765d61d8327deb882cf99' into the column without quotes of course.
-Please be sure to only change the 'wp_pass' entry and to make sure it's corresponding to the correct username.(On the same row)
-Now you should be able to login with your new password.('password')
Suppose Mysql -dbs and an admin with a bad habbit to forget the passwords (or paranoid enough wanting more creative authentication, not just password). Is it possible to access Mysql -root shell for example in a way that the Ssh-agent stores the private keys and then I could just login by "mysql -u root" (without typing the passwords or a combination of private-key and a password)?
You can certainly use the normal SSH key authentication to log on to your shell account and then use a ~/.my.cnf file with your password inside. This will be used by default by the mysql command line client.
Its content should be:
[client]
user=the_user_name
password=the_password
Beware that whoever can read this file will be able to use those credentials. Protect it so that only the owner can read it (and lock your terminal if you go away from your keyboard).
If you want direct key-based authentication, you could also use SSL client-certificate authentication. You could create your own small CA and issue yourself with these client-certificates. A number of tools support this if you require direct remote access.