RE: mysql password encryption
Are the databases under the same database engine instance? If they are its
not a problem as the password is the system table users and you can grant
access for that user to various databases in the system table database. To
use the encrypted password field, use the password('password') function
supplied by the MySQL library. It only encrypts your password string, but
it will let you do a compare of the strings.
Hope this helps.
Joe
-Original Message-
From: Cees Hek [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 22, 2003 11:29 AM
To: Martin Moss
Cc: Modperl
Subject: Re: mysql password encryption
Quoting Martin Moss [EMAIL PROTECTED]:
All,
I wish to let a user use the same password for them to authenticate to a
multitude of mysql Databases AND to authenticate themselves on my modperl
site.
the problem I have is that I store the password in the database as a
Password field. However when I wish to use DBI to connect to another mysql
database I cannot use the Password stored in the database as it comes out
encrypted. I really don't want to store the unencrypted password anywhere
on the system. Is there a way to let DBI/mysql know that the password I am
giving them is ALREADY encrypted?
A feature like that would defeat the purpose of encrypting the password in
the
first place. The point of encrypting the password is so that if someone
gets
their hands on the password list, they can not use the encrypted password to
access the system. They would have to crack the passwords first before
using
them to access the system.
By allowing someone to access the system with an already encrypted password,
then your passwords might as well not be encrypted at all.
Since you are using MySQL, have you looked at using the
mysql_read_default_file
option to store your password in a config file? Using a DSN like the
following
allows you to keep the username and password in a config file. Check the
DBD::mysql perldocs for more info, and the MySQL docs for all the parameters
you
can put in such a file.
DBI:mysql:test;mysql_read_default_file=/etc/mysql/test.my.conf
and in /etc/mysql/test.my.conf
[client]
user = www
password = thebigsecretpassword
Then protect the file:
chown www /etc/mysql/test.my.conf
chmod 400 /etc/mysql/test.my.conf
You still have the password in plain text, but it is readable only by root
and
the user that runs the webserver. You can use this to connect to multiple
MySQL
servers as long as the access tokens are the same on all servers.
Cees
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003
Re: mysql password encryption
Cheers for all your help,
I realised that I didn't need to worry about decrypting the passwords as I
can use the encrypted password with GRANT. so it solved my problem.
I guess I'll have to group my grants by table rather than permission though.
Regards
Marty
- Original Message -
From: Joe Palladino [EMAIL PROTECTED]
To: Cees Hek [EMAIL PROTECTED]; Martin Moss
[EMAIL PROTECTED]
Cc: Modperl [EMAIL PROTECTED]
Sent: Thursday, January 23, 2003 3:44 PM
Subject: RE: mysql password encryption
Are the databases under the same database engine instance? If they are
its
not a problem as the password is the system table users and you can grant
access for that user to various databases in the system table database.
To
use the encrypted password field, use the password('password') function
supplied by the MySQL library. It only encrypts your password string, but
it will let you do a compare of the strings.
Hope this helps.
Joe
-Original Message-
From: Cees Hek [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 22, 2003 11:29 AM
To: Martin Moss
Cc: Modperl
Subject: Re: mysql password encryption
Quoting Martin Moss [EMAIL PROTECTED]:
All,
I wish to let a user use the same password for them to authenticate to a
multitude of mysql Databases AND to authenticate themselves on my
modperl
site.
the problem I have is that I store the password in the database as a
Password field. However when I wish to use DBI to connect to another
mysql
database I cannot use the Password stored in the database as it comes
out
encrypted. I really don't want to store the unencrypted password
anywhere
on the system. Is there a way to let DBI/mysql know that the password I
am
giving them is ALREADY encrypted?
A feature like that would defeat the purpose of encrypting the password in
the
first place. The point of encrypting the password is so that if someone
gets
their hands on the password list, they can not use the encrypted password
to
access the system. They would have to crack the passwords first before
using
them to access the system.
By allowing someone to access the system with an already encrypted
password,
then your passwords might as well not be encrypted at all.
Since you are using MySQL, have you looked at using the
mysql_read_default_file
option to store your password in a config file? Using a DSN like the
following
allows you to keep the username and password in a config file. Check the
DBD::mysql perldocs for more info, and the MySQL docs for all the
parameters
you
can put in such a file.
DBI:mysql:test;mysql_read_default_file=/etc/mysql/test.my.conf
and in /etc/mysql/test.my.conf
[client]
user = www
password = thebigsecretpassword
Then protect the file:
chown www /etc/mysql/test.my.conf
chmod 400 /etc/mysql/test.my.conf
You still have the password in plain text, but it is readable only by root
and
the user that runs the webserver. You can use this to connect to multiple
MySQL
servers as long as the access tokens are the same on all servers.
Cees
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003
Re: mysql password encryption
On Wed, 2003-01-22 at 16:29, Martin Moss wrote: I wish to let a user use the same password for them to authenticate to a multitude of mysql Databases AND to authenticate themselves on my modperl site. the problem I have is that I store the password in the database as a Password field. However when I wish to use DBI to connect to another mysql database I cannot use the Password stored in the database as it comes out encrypted. I really don't want to store the unencrypted password anywhere on the system. Is there a way to let DBI/mysql know that the password I am giving them is ALREADY encrypted? Has anybody else solved a problem like this? You could use the encrypted password as the password to the remote database. This however also defeats the purpose of encryption with respect to the remote mysql. How do you keep the local mysql password between requests? This is IMHO essentially the same problem. Is there a way to replicate the user/passwoerd table? Hth, Joachim
mysql password encryption
All, I wish to let a user use the same password for them to authenticate to a multitude of mysql Databases AND to authenticate themselves on my modperl site. the problem I have is that I store the password in the database as a Password field. However when I wish to use DBI to connect to another mysql database I cannot use the Password stored in the database as it comes out encrypted. I really don't want to store the unencrypted password anywhere on the system. Is there a way to let DBI/mysql know that the password I am giving them is ALREADY encrypted? Has anybody else solved a problem like this? Regards Marty
Re: mysql password encryption
Martin Moss wrote: the problem I have is that I store the password in the database as a Password field. However when I wish to use DBI to connect to another mysql database I cannot use the Password stored in the database as it comes out encrypted. I really don't want to store the unencrypted password anywhere on the system. Is there a way to let DBI/mysql know that the password I am giving them is ALREADY encrypted? Why don't you just encrypt it yourself and store it in a VARCHAR? - Perrin
Re: mysql password encryption
Quoting Martin Moss [EMAIL PROTECTED]: All, I wish to let a user use the same password for them to authenticate to a multitude of mysql Databases AND to authenticate themselves on my modperl site. the problem I have is that I store the password in the database as a Password field. However when I wish to use DBI to connect to another mysql database I cannot use the Password stored in the database as it comes out encrypted. I really don't want to store the unencrypted password anywhere on the system. Is there a way to let DBI/mysql know that the password I am giving them is ALREADY encrypted? A feature like that would defeat the purpose of encrypting the password in the first place. The point of encrypting the password is so that if someone gets their hands on the password list, they can not use the encrypted password to access the system. They would have to crack the passwords first before using them to access the system. By allowing someone to access the system with an already encrypted password, then your passwords might as well not be encrypted at all. Since you are using MySQL, have you looked at using the mysql_read_default_file option to store your password in a config file? Using a DSN like the following allows you to keep the username and password in a config file. Check the DBD::mysql perldocs for more info, and the MySQL docs for all the parameters you can put in such a file. DBI:mysql:test;mysql_read_default_file=/etc/mysql/test.my.conf and in /etc/mysql/test.my.conf [client] user = www password = thebigsecretpassword Then protect the file: chown www /etc/mysql/test.my.conf chmod 400 /etc/mysql/test.my.conf You still have the password in plain text, but it is readable only by root and the user that runs the webserver. You can use this to connect to multiple MySQL servers as long as the access tokens are the same on all servers. Cees
