Admon Home » password

Password-Only Login for SSH and SCP

joseph — Wed, 23 Feb 2011 02:57:42 +0000

Public key authentication is very common way when we have to access remote Linux/UNIX servers. Normally, we add the public keys to the authentication agent on local side (e.g. by ssh-add), to simply the login process. But there might be problems, like this one:

debian@controller:~$ scp pub.admon.org:/tmp/2012.tgz .
Received disconnect from 10.195.15.37: 2: Too many authentication failures for debian

How can we bypass this issue without removing the keys from our authentication agent?

A direct way is to enable password authentication and force client to use it instead of public keys auth. To enable password authentication is very simple, you can just add the parameter “-o PubkeyAuthentication=no” to your ssh based command like ssh, scp and sftp.

debian@controller:~$ scp -o PubkeyAuthentication=no debian@pub.admon.org:/tmp/2012.tgz .
debian@parser.minivps.com's password:
2012.tgz                                                           100%    20MB     22.5MB/s   00:01

The option’s parameter is case insensitive, so you just need to remember it’s pubkey and authentication. If you face additional errors, please have a check and make sure you have password authentication enabled at the server side. Normally, that’s an active directive “PasswordAuthentication no” in /etc/ssh/sshd_config.

If you’re not sure how to enable public key authentication to harden your servers, you can refer to this link.

Generate random password in Linux Command Line

joseph — Sun, 25 Jul 2010 05:37:24 +0000

Password is widely used in a production environment, for example, when we created a system account, we need to set an initial password for it, and When email / database / Subversion / LDAP (..etc.) accounts created, random passwords are needed as well.
As the random password is common, there are many ways to generate random passwords in Linux/UNIX. We’ll show some examples here on how to generate a strong password on Linux command line.

Please note that this post does not cover the topics on password strength. you can use some online tools to check password strength.

GMail Password Strength Check

You can use the following four commands directly in most of Linux distributions with default install.

joseph@test:~$ < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c8
3saMDFXB

I personally prefer to use this command. The other commands work great too, check below:

cat /dev/urandom | tr -cd 'a-f0-9' | head -c 16
dd if=/dev/random count=10 bs=1 | hexdump  | cut -d   -f 2-| head -n 1 | tr -d " "

uuencode which is supplied by sharutils is needed by this command (Sharutils is not installed by default):

head -c 12 /dev/random | uuencode -m - | tail -n 2 | head -n 1

By using the following command, you need to get mkpasswd installed. It’s man page is available here. It can be run like this:

mkpasswd -l 16 -s 0 -C 0|sed 's/[0ol1]/f/g'

Finally, if you have pwgen installed, you can also generate a random password in linux command line like this:

pwgen -ycn 16 1

PWGen supports Windows platform as well, you just need to install pwgen-win instead, it has a nice GUI.

Ways to reset MySQL user password

joseph — Fri, 01 Jan 2010 06:10:26 +0000

How can I change user password under MySQL server when I lost my password?
Here’s I’ll show two examples. The first example is about how to change password for normal user using Linux command line option, and the second example is on how to reset MySQL DBA password (By default, this user is called root).

Reset user password in MySQL
Let’s assume the normal user’s name is fatman, follow these steps to start:
1), Login to MySQL server, type following command at shell prompt to login as root

$ mysql -u root -p

2), Choose the right database mysql database, it’s mysql:

mysql> use mysql;

3), Change password for user fatman:

mysql> update user set password=PASSWORD("NEW-PASSWORD-HERE") where User='fatman';

4), Finally,dont forget to flush privileges:

mysql> flush privileges;

You can also use grant to reset a user’s password, the command is like this:

mysql> grant select,update,delete,insert on somedb.* to fatman@'somehost' identified by 'NEW-PASSWORD-HERE';

Reset DBA password in MySQL
When the DBA’s password lost, things become a little difficult, a restart might needed which is not so good for productive servers. There still have some possibilites to retrieval it without restart mysql service:

1), Is there any user has insert permission on the database “mysql”?
If so, he can insert into mysql.user and create another DBA account.

2), Is there any user has super user permissions?
For example, when the user was create like “GRANT ALL ON *.* TO user@’localhost’ WITH GRANT OPTION“, then this use is actually another DBA, you can ask him to reset root’s password.

If you got no luck till now, we have a common way here to fix the password. We can ask mysql server to bypass its grant tables when starting it. Thus it will not verify user passwords and permissions when they logon. That means all users will have full access to all databases as a database administrator.

$ /usr/sbin/mysqld --verbose --help | grep skip-grant-tables -A1
  --skip-grant-tables Start without grant tables. This gives all users FULL
                      ACCESS to all tables!
--
skip-grant-tables                 FALSE
skip-slave-start                  FALSE

Before making this changes, you need to make sure there’s no queries running on mysql. Then shutdown mysql instance first (mysql’s control script will help do that. In RPM based systems, it’s /etc/init.d/mysql) , and apply this option in the script, and start the service again.

When the DBA password got reset, do forget to remove the changes in mysql’s control script. If there any issue occures, please dont hesitate to create a topic in our support forum!