• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved MySQL admin credentials

Y

Yves Vogl

Basic Pleskian
Hi,

I'd like to understand why the credentials for the MySQL user "admin" are encrypted in /etc/psa/.psa.shadow but the encrypted string itself can be used as the password.

$ cat /etc/psa/.psa.shadow
$AES-128-CBC$abcdefghiklmnop==$mnbvcxylkjhgfd==

$ mysql -uadmin -p`cat /etc/psa/.psa.shadow`
Welcome to the MariaDB monitor. Commands end with ; or \g.

This adds no value for security as the secret does not need to be decrypted.

Can someone please explain this to me?

Thanks!
Yves
 
Moreover, you can just run

# plesk db

and get access to Plesk database. In the scope of security the main issue here is getting the root permissions.
To improve security, the ability to retrieve the Plesk administrator password was removed in Plesk Onyx. Instead, run the plesk login command in the command line to generate a temporary token link.
 
As far as I understand starting from version 10.2, Plesk Panel encrypts the Administrator's password before saving it to /etc/psa/.psa.shadow.

This avoids saving the password in cleartext to prevent an information disclosure vulnerability for /etc/psa/.psa.shadow if its permissions are not restrictive enough (by accident).

And just because of convenience (and later legacy reasons) the encrypted string is used as the password for the MySQL user "admin".
They could have been separated - but with no real gain of security as the decryption key would must have been saved on the server anyway.

Did I get this right?
 
You must log in or register to reply here.

Similar threads

Edi Duluman
Resolved Access denied for user 'admin'@'localhost' after dist-upgrade
Replies
2
Views
769
Edi Duluman
Edi Duluman
F
Issue Adding another Database Server without knowing the admin password
Replies
11
Views
775
Kaspar
K
F
Issue Can't add older database remote server
Replies
0
Views
375
frame86
F
Daerik
Resolved Plesk Migrator Failing to Sync Database Records After Server Upgrade
Replies
8
Views
1K
Maarten
M
Azurel
Resolved MariaDB Upgrade via Plesk hangs
Replies
7
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
Back
Top