mysql configuration and hashed password

[Larry Wapnitsky]

I need to connect as the root user on some of my databases, but they have been configured (not by me) to use a password rather than auth_sock. I know I can configure the minion file to use a username and password, but I'd rather use a hashed password instead. Is this possible instead of putting the password in cleartext?

Thank you

[Vaarlion]

Hi :)
hashed password aren't the password, they are a way to see if a given password match, but you can't build back the password from the hash.

Because of how this work you can't login to mysql by giving a hashed password.

You can use a vault to save the clear password somewhere safe and ask salt to use that data (no clear password in the pillars)

You can add a user with auth_socket , give it all the right and use it for your command

You can create a .my.cnf file ( 0600 !!!) in the home of root with the login detail in it
Or if you don't share the pillars with other people, you can put it in clear because they will be encrypted during transit from the master to the minion.

Lot's of option, and a lot more can be added to this non-exhaustive list :)

[brent timothy saner]

Depending on how you read this, there are potentially two different
questions here.

1.) "I know the password but don't want to store it in my pillars as
plaintext. How do I add the user to MySQL using the hashed form of the
password?"

2.) "I do not know the password for a MySQL user but I know the hash.
How do I configure the client?"


I'll cut to the chase and say #2 is flat out a nope. It's hashed, so you
can't derive the password from it.

Now, depending on your version and implementation (e.g. MySQL vs.
MariaDB/Percona, etc.), they're going to use different hashing method
which may make it easier to *bruteforce* the hash and discover the
password, but ain't nobody got time for that - if you have root shell,
you can very easily just change the MySQL root password[0] - or if you
have the MySQL root password already and it's for a non-root-MySQL-user,
you can reset that even easier.[1]


For #1, however, if you're creating a user, there's a module[2] for that.

To used a pre-hashed password, you can simply execute a query[2b] to the
like of:

UPDATE mysql.user SET Password = 'YOUR_PASSWORD_HASH_HERE' WHERE Host
= 'YOUR_HOST_HERE' AND User = 'YOUR_USER_HERE';
FLUSH PRIVILEGES;

The "YOUR_HOST_HERE" is likely "localhost" for socket connections.
The "YOUR_PASSWORD_HASH_HERE" should be in the exact form it's found in
another pre-configured MySQL (e.g.
"*9B500343BC52E2911172EB52AE5CF4847604C6E5").[3]


Alternatively, you can use a distributed .sql file containing the above
statements via file.managed[4] and using mysql_query.run_file to execute
it.[5]

Or you can have your entire user database, all your schemas, etc. in one
.sql and mysql_query.run_file that, etc.



[0]
https://www.techrepublic.com/article/how-to-set-change-and-recover-a-mysql-root-password/

[1]
https://dev.mysql.com/doc/refman/8.0/en/resetting-permissions.html#resetting-permissions-generic

[2a]
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.mysql.html#salt.modules.mysql.user_create

[2b]
https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.mysql.html#salt.modules.mysql.query

[3] This is a hash of the password "foobar".
See: https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html

[4]
https://docs.saltproject.io/en/latest/ref/states/all/salt.states.file.html#salt.states.file.managed

[5]
https://docs.saltproject.io/en/latest/ref/states/all/salt.states.mysql_query.html#salt.states.mysql_query.run_file