[CentOS] No MySQL password in ps aux!

Mon Sep 12 00:30:30 UTC 2011
Craig White <craigwhite at azapple.com>

On Sun, 2011-09-11 at 19:56 +0300, Dotan Cohen wrote:
> On Sun, Sep 11, 2011 at 19:35, Craig White <craigwhite at azapple.com> wrote:
> > you'd still have it in bash_history though so it's really a poor idea to
> > ever pass a significant password directly on the command line execution
> > - whether visible or not visible to ps. Much better is to be prompted
> > for the password instead...
> >
> > mysql mysql -u root -p
> >
> > and it will prompt
> >
> > another option is to have ~/.my.cnf which already has your password
> >
> > Craig
> >
> 
> Actually, it's not in Bash history because I log in from a remote
> server like this:
> $ ssh -t dotan at 1.2.3.4 "mysql -u root -pSECRET"
> 
> That, in turn, is actually aliased to something else. Therefore the
> login info does appear in my _local_ alias file, but if that is
> compromised then there is no reason to assume that ~/.ssh/ isn't also
> compromised, and vice versa.
> 
> Additionally, one could add a space before a command to prevent it
> from being written to the history, I do this when encrypting files
> with openssl.
----
not exactly sure what point you are trying to make about being
compromised - not all that relevant but you can still just use -p option
without the password and get prompted for the password which actually
solves your question.

Also, since MySQL is client/server you could probably use the mysql
client on your local machine and connect to the server and use
encryption but that isn't what you asked.

Also, presuming you are using bash on the originating machine, you would
have it in bash_history, just on a different machine. The point I was
trying to make is that it is generally a poor idea to put a password
into a shell command whether mysql or whatever.

Craig



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.