In this post I am showing how to use generate a MySQL 5 password-hash that can be used to create MySQL GRANTS using a hash instead of a password.
To use a password-hash to create GRANTs:
1 |
GRANT ALL ON *.* to user@% identified by PASSWORD '<PASS-HASH>'; |
A good use case is the Puppet puppetlabs-mysql module to automate the MySQL environment, You can automate/define USER and GRANT creation by using the code below, but notice that it requires a password-hash instead of a password:
1 2 3 4 5 6 7 8 9 10 |
users => { 'someuser@localhost' => { ensure => 'present', max_connections_per_hour => '0', max_queries_per_hour => '0', max_updates_per_hour => '0', max_user_connections => '0', password_hash => '*F3A2A51A9B0F2BE2468926B4132313728C250DBF', }, } |
OR:
1 2 3 4 5 6 7 8 |
mysql_user { 'root@127.0.0.1': ensure => 'present', max_connections_per_hour => '0', max_queries_per_hour => '0', max_updates_per_hour => '0', max_user_connections => '0', password_hash => '*F3A2A51A9B0F2BE2468926B4132313728C250DBF', } |
They recommend using mysql_password() for creating such a hash. But that means you need to have a MySQL server available.
In this post I am writing about getting those hashes using Python, I wrote a program/script to get the password-hash programatically.
The Python program/script can be found at:
https://github.com/parcejohn/mysql_password_hash
Usage
1 2 3 4 5 6 7 8 9 10 11 12 |
$ ./mysql_password_hash -h usage: mysql_password_hash [-h] [-p PASSWORD | -r] [-l PASSWORD_LENGTH] MySQL Password Hash Generator optional arguments: -h, --help show this help message and exit -p PASSWORD, --password PASSWORD Enter a password -r, --generate_random Generate a random password -l PASSWORD_LENGTH, --password_length PASSWORD |
# Using Command line arguments – User provided password (e.g. ‘secret’)
1 2 3 |
$ mysql_password_hash -p secret PASSWORD: secret HASH: *14e65567abdb5135d0cfd9a70b3032c179a49ee7 |
# Using Command line arguments – Random password with length=20 (default length=12)
1 2 3 |
$ mysql_password_hash -r -l 20 PASSWORD: gnlrn96^g18jcblmssa6 HASH: *e3cbe60709e8abe2082c92cc5e72a762d5f18e22 |
# interactive mode (no arguments)
1 |
mysql_password_hash |
Comments
Leave a comment Trackback