Created
September 29, 2019 11:47
-
-
Save epireve/00518e23909a3d32c789111ec27c5c70 to your computer and use it in GitHub Desktop.
Securing/updating PhpMyAdmin
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| When you installed phpMyAdmin onto your server, it automatically created a database user called phpmyadmin which performs certain underlying processes for the program. Rather than logging in as this user with the administrative password you set during installation, it’s recommended that you log in as either your root MySQL user or as a user dedicated to managing databases through the phpMyAdmin interface. | |
| Configuring Password Access for the MySQL Root Account | |
| In Ubuntu systems running MySQL 5.7 (and later versions), the root MySQL user is set to authenticate using the auth_socket plugin by default rather than with a password. This allows for some greater security and usability in many cases, but it can also complicate things when you need to allow an external program — like phpMyAdmin — to access the user. | |
| In order to log in to phpMyAdmin as your root MySQL user, you will need to switch its authentication method from auth_socket to mysql_native_password if you haven’t already done so. To do this, open up the MySQL prompt from your terminal: | |
| sudo mysql | |
| Next, check which authentication method each of your MySQL user accounts use with the following command: | |
| SELECT user,authentication_string,plugin,host FROM mysql.user; | |
| Output | |
| +------------------+-------------------------------------------+-----------------------+-----------+ | |
| | user | authentication_string | plugin | host | | |
| +------------------+-------------------------------------------+-----------------------+-----------+ | |
| | root | | auth_socket | localhost | | |
| | mysql.session | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | mysql_native_password | localhost | | |
| | mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | mysql_native_password | localhost | | |
| | debian-sys-maint | *8486437DE5F65ADC4A4B001CA591363B64746D4C | mysql_native_password | localhost | | |
| | phpmyadmin | *5FD2B7524254B7F81B32873B1EA6D681503A5CA9 | mysql_native_password | localhost | | |
| +------------------+-------------------------------------------+-----------------------+-----------+ | |
| 5 rows in set (0.00 sec) | |
| In this example, you can see that the root user does in fact authenticate using the auth_socket plugin. To configure the root account to authenticate with a password, run the following ALTER USER command. Be sure to change password to a strong password of your choosing: | |
| ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password'; | |
| Then, run FLUSH PRIVILEGES which tells the server to reload the grant tables and put your new changes into effect: | |
| FLUSH PRIVILEGES; | |
| Check the authentication methods employed by each of your users again to confirm that root no longer authenticates using the auth_socket plugin: | |
| SELECT user,authentication_string,plugin,host FROM mysql.user; | |
| Output | |
| +------------------+-------------------------------------------+-----------------------+-----------+ | |
| | user | authentication_string | plugin | host | | |
| +------------------+-------------------------------------------+-----------------------+-----------+ | |
| | root | *DE06E242B88EFB1FE4B5083587C260BACB2A6158 | mysql_native_password | localhost | | |
| | mysql.session | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | mysql_native_password | localhost | | |
| | mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | mysql_native_password | localhost | | |
| | debian-sys-maint | *8486437DE5F65ADC4A4B001CA591363B64746D4C | mysql_native_password | localhost | | |
| | phpmyadmin | *5FD2B7524254B7F81B32873B1EA6D681503A5CA9 | mysql_native_password | localhost | | |
| +------------------+-------------------------------------------+-----------------------+-----------+ | |
| 5 rows in set (0.00 sec) | |
| You can see from this output that the root user will authenticate using a password. You can now log in to the phpMyAdmin interface as your root user with the password you’ve set for it here. | |
| # Configuring Password Access for a Dedicated MySQL User | |
| Alternatively, some may find that it better suits their workflow to connect to phpMyAdmin with a dedicated user. To do this, open up the MySQL shell once again: | |
| sudo mysql | |
| Note: If you have password authentication enabled, as described in the previous section, you will need to use a different command to access the MySQL shell. The following will run your MySQL client with regular user privileges, and you will only gain administrator privileges within the database by authenticating: | |
| mysql -u root -p | |
| From there, create a new user and give it a strong password: | |
| CREATE USER 'sammy'@'localhost' IDENTIFIED BY 'password'; | |
| Then, grant your new user appropriate privileges. For example, you could grant the user privileges to all tables within the database, as well as the power to add, change, and remove user privileges, with this command: | |
| GRANT ALL PRIVILEGES ON *.* TO 'sammy'@'localhost' WITH GRANT OPTION; | |
| Following that, exit the MySQL shell: | |
| exit | |
| You can now access the web interface by visiting your server’s domain name or public IP address followed by /phpmyadmin: | |
| http://your_domain_or_IP/phpmyadmin |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment