I wrote a script to backup my MySQL databases using:
mysqldump --opt --all-databases -u user -pmypassword > myDump.sql
A cron launches it every night and scp the result to another server.
mypassword appears in clear in my script, everyone can see it with the appropriate rights. I have been told about /proc issues too (where the cmd run can be seen).
MySQL documentation says:
Specifying a password on the command line should be considered insecure. See Section 7.6, "Keeping Your Password Secure".
I have not found this magic 7.6 sections anywhere.
What is the good practice to deal with automatic mysqldump and password security?
Quoting the MySQL docs(http://dev.mysql.com/doc/refman/5.1/en/password-security-user.html):
Store your password in an option file. For example, on Unix you can list your password in the [client] section of the .my.cnf file in your home directory:
[client]
password=your_pass
To keep the password safe, the file should not be accessible to anyone but yourself. To ensure this, set the file access mode to 400 or 600. For example:
shell> chmod 600 .my.cnf
To name from the command line a specific option file containing the password, use the --defaults-file=file_name option, where file_name is the full path name to the file.
to add to Sahil's answer above, use --defaults-extra-file
--defaults-extra-file
is used to tell a program to read a single specific option file in addition to the standard option files.
whereas --defaults-file is read instead of the default my.cnf file.
The accepted answer stores the password in a plain text file, which could be read by anyone with administrative (root) access. If your database is in a shared hosting environment, this is undesirable.
A better option would be to use mysql_config_editor to create an encrypted login path named mysqldump. According to the MySQL documentation:
mysql_config_editor encrypts the .mylogin.cnf file so it cannot be read as cleartext, and its contents when decrypted by client programs are used only in memory. In this way, passwords can be stored in a file in non-cleartext format and used later without ever needing to be exposed on the command line or in an environment variable.
The following command will create your mysqldump login path:
mysql_config_editor set --login-path=mysqldump --host=your_hostname --user=your_username --password
You will be prompted to enter your password, and the login path you created will be stored in encrypted format. mysqldump will automatically use this login path whenever you call it in the future, unless you specify a different login path with the --login-path command line option.
Here is how you would invoke mysqldump after creating an encrypted login path:
mysqldump database_name > output_file
All answers here are in pieces so sharing a complete command which will do the required and must be used if database are heavy in size, --single-transaction and --lock-tables are very important here
mysqldump --defaults-extra-file=/home/dangi/.my.cnf -u root --single-transaction --quick --lock-tables=false --all-databases (or) DATABASE | gzip > OUTPUT.gz;
Note: Answer is in add of Avibodha and sahil answer, they have already made the point. I am just putting their answer in single piece of code with important measure should be taken at time of backing up live database
Check out Keeping Passwords Secure for a good answer. You can store your password in the my.cnf file changing the permissions on that file to keep the password secure.
You can also check the last comment on this page too:
MYSQL_PWD="tinkerbell" mysqldump -ubackup --all-databases > dump.sql
The following method works for me on a Windows machine, if you have 2 versions of MySQL installed, and you are not sure which my.ini is used when you run mysqldump, this will also help:
1, C:\ProgramData\MySQL\MySQL Server 5.6\my.ini, fine [client], replace it to:
[client]
user=my_user
password=my_password
2, Use this command:
C:\Program Files\MySQL Server 5.6\bin>mysqldump --default-extra-file="C:\ProgramData\MySQL\MySQL Server 5.6\my.ini" -u my_user db_to_export > db_to_export.sql
Related
I'm trying to add a new use to a linux machine.
I used this command.
adduser "user_name" -u "UID" -G "GROUP_NAME"
the entry what is see in /etc/shadow is
"user_name":$1$IfBL9BXC$ealgUJum3HJsDRqOUY74O1:0:0:99999::::
But when I try to login with the same user name,my password was accepted but immediately asked me to change password as below.
You are required to change your password immediately (root enforced)
What should I do?
For anyone who comes across this when dealing with eg. DigitalOcean machines which are set up this way, and don't feel like manually fixing this because they automate deployments anyway and only use publickey authentication, here's an Ansible task to fix this:
# http://docs.ansible.com/ansible/lineinfile_module.html
# Get rid of DO's root password and 'you must change next time you login' stuff
- name: Setup root account properly
lineinfile:
backup: yes
dest: /etc/shadow
regexp: "^root:.*$"
state: present
line: "root:*:16231:0:99999:7:::"
The best thing to do is to change your password as asked.
The third field in the /etc/shadow file indicates the number of days (since January 1, 1970) since the password was last changed. An empty values indicates the password was never changed and a value of 0 forces the user to change it.
As an alternative, you can edit your /etc/shadow file and remove the 0 from the third field. But do that at your own risk.
In my case I wanted to install MySQL 8.0 non-interactively in the User Data specified when creating the droplet instance, and it showed the error You are required to change your password immediately (root enforced).
My solution is based on the answer of unilynx, but without needing Ansible (because the user data is run before ansible runs the tasks in the host):
sed -i 's/^root:.*$/root:*:16231:0:99999:7:::/' /etc/shadow
This way the root account is disabled for login, but I don't receive the error I mentioned above.
I have created a very small script below which i want help me to move files from one server to other server periodically via cronjob.
#!/bin/sh
HOST='1.1.1.1'
FILE='EndpointUsage*.*'
PASS='password#'
sftp kingadmin#$HOST
password $PASS <<END_SCRIPT
binary
lcd /var/tmp/
mput $FILE
quit
END_SCRIPT
Problem i am facing.
1) I need this script to give the password automatically, i do not want to give password manually whenever this script run. Currently when i ran the commands its asking for password as below.
LA:/var/tmp # ./portmove.sh
kingadmin#1.1.1.1's password:
2) I want to send the files to particular directory on remote server. Can you please help how to put the locations in the script so that my script can send the files to particular directory let say in every 10 minutes(which i can configure in cronjob)
Thanks you in advance.
Instead of using a password, consider using a public/private key pair.
You can then specify the key file instead of a password.
Good morning everyone! I have a bash script starting automatically when the system boots via the .profile file in the users home directory:
sudo menu.sh
The script starts just as expected however, when calling things like ssh UN#ADDRESS inside the script, the known_hosts file gets placed in the /root/.ssh directory instead of the user account calling the script! I have tried modifying .profile to call 'sudo -E menu.sh' and 'sudo -H menu.sh', but both fail to have the known_hosts file created in the users home directory that's calling the script. My /etc/sudoers is as follows:
# Declarations
Defaults env_keep += "HOME USER"
# User privilege specification
root ALL=(ALL) ALL
user ALL=NOPASSWD: ALL
Any help would be appreciated!
Thanks
Dave
UPDATE: so what I did as a work around is go through the script and add 'sudo -u $USER' before specific calls (since sudo is supposed to keep the $USER env var). This to me seems like a very bad way of resolving this problem. It sudo is supposed to keep the USER and HOME directory variables upon launching menu.sh, why would I need to explicitly call sudo once again as a specific user in order to retain that information (even though sudo is being told to keep it via the /etc/sudoers file). No clue, but wanted to update this post for anyone that comes across it until a better solution can be found.
Regarding OpenSSH, the default location for known_hosts is ~/.ssh/known_hosts. Ssh doesn't honor $HOME when expanding a "~" in a filename. It looks up the user's actual home directory and uses that. When you run ssh as root, it's going to interpret that pathname relative to root's home directory no matter what you've set HOME to.
You could try setting the ssh parameter UserKnownHostsFile to the name of the file you'd like to use:
ssh -o UserKnownHostsFile=$HOME/.ssh/known_hosts user#host...
However, you should test this. Ssh might complain about using a file that belongs to another user, and if it has to update the file then the file might end up being owned by root.
Really, you're best off running ssh as the user whose .ssh folder you want ssh to use. Running processes through sudo creates a risk that the user can find a way to do things you didn't intend for them to do. You should limit that risk by using the elevated privileges as little as possible.
I want to normalise the yum.repo files for all computers on our small network i.e
sudo scp /etc/yum.repos.d/* $HOSTNAME:/etc/yum.repos.d/
I can loop through all hostnames easily enough and execute the command to copy, however I am prompted for the root password on each occasion which is becoming tiresome. How can I script this with bash or perl so that I only need to type the root command in once?
Implement password-less authentication with ssh keys, as described here, for instance. This will allow to run scripts without password prompts using ssh key file in your home folder.
I have created lately in Windows ssh key - so I have .ppk file. Converted it also to openssh.
In windows I have been using tortoise with pageant to connect to svn+ssh server. Now I want to switch to linux. How can I connect to svn+ssh with this key .ppk or opessh file. I would like to use PagaVCS or RabbitVCS but it keeps asking me for login and password which obviously I don't have because I have only this openssh or .ppk file. Anyone could help??
Use puttygen to convert the key to openssh format. It is for example described here: http://leadingedgescripts.co.uk/server-administration/how-to-convert-your-putty-ppk-private-key-to-a-normal-ssh-key-you-can-use-on-an-apple-mac/
Unfortunately no experience with either Rabbit or the other one. In *nix environment I would create $HOME/.ssh/config and write something like that:
Host host
User user
IdentityFile /path/to/your/key
And then use svn+ssh://host/directory (ssh then takes configuration information from the .ssh/config file). Maybe something like can be done with one of the VCS's?
As last (or first in my case) resort I'd use cygwin or mingw and configure ssh access there - and then configure the tools to use ssh coming from these packages.
Puttygen exports private keys DES encoded, which causes some software (e.g. OpenSSH on Ubuntu) to silently ignore the key and prompt for password.
To use PuTTY .ppk key in linux OpenSSH, first export the key:
Start puttygen
File -> Loadprivate key
Conversions -> Export OpenSSH key (private.key in this example)
Now, on the linux machine, re-encrypt the key using passphrase change command:
ssh-keygen -pf private.key
Enter the same passphrase 3 times (old, new, new) to actually not change it.
Now you can check the key file that DEK-Info: changed from something like DES-EDE3-CBC,F1785C4B846C781F to AES-128-CBC,916627D6328608175FA4545928372EA3.
The client application should not promt you for password anymore.
I am sure the answer for this was online but I can't seem to find it anywhere any more so here it is from beginning to end including the conversion you say you've done:
Open puttygen on Windows.
Load your private key (name.ppk) using the passphrase if needed.
Go to 'Conversions' -> 'Export OpenSSH Key' and save it as (I'll assume you called it 'fileName').
Copy this key into your home directory on Linux.
Open a terminal and move it to the .ssh directory with the command 'mv fileName .ssh/' (~/.ssh is hidden in the gui but it's there).
Navigate to the .ssh dir with 'cd .ssh'
Cat the file into a new file called id_rsa with the command 'cat fileName > id_rsa'.
Change the permissions on id_rsa to 600 with the command 'chmod 600 id_rsa'.
Finally make sure the .ssh directory has its permissions set to 700 'cd ..' to drop to the home directory and 'chmod 700 .ssh' to set permissions.
This should do it.
There must be better info out there but this link has some stuff you might find interesting, particularly the bit about permission http://www.lamolabs.org/blog/6241/one-liner-working-with-ssh-keygen-ssh-key-pair-files/