MySQL encrypted client password storage

Posted: 2017-02-10 14:27:55 by Alasdair Keyes

Direct Link | RSS feed


For years I've been using MySQL's ~/.my.cnf file to automatically manage logins for databases. However it's never sat well with me due to the fact that the file is plain text and even though you can restrict access with 0600 permissions, it's never good to have a password stored in plaintext.

I've recently been working on a MySQL 5.7 cluster and needed access to the production slave database and this issue raised it's head again. However as of MySQL 5.6, there is the option to store login details encrypted using mysql_config_editor

This tool allows you to setup profiles to access servers and store the details encrypted.

For example my previous ~/.my.cnf/ file might have

[mysql]
username=al
password=ComplexPassword

I could then access mysql like so...

# mysql
mysql> 

Now you define a profile so for the above example use

# mysql_config_editor set --login-path=localhost --host=localhost --user=root --password
Enter Password: <enter password>

--login-path is just a name and can be anything you like.

I can now login by specifying the login path

# mysql --login-path=localhost

What's nice is that you don't need to specify all the details, if you had a production and beta environment both with multiple servers you could run the following with different passwords and then supply the hostname on the command line

# mysql_config_editor set --login-path=production --user=root --password
Enter Password: <enter password>
# mysql_config_editor set --login-path=beta --user=root --password
Enter Password: <enter password>
# mysql --login-path=production -h proddb3
mysql>

The data is now stored in ~/.mylogin.cnf and is not readable

# cat ~/.mylogin.conf
<<JUMBLEDMESS>>

If you want to make backups or see what profiles you have, you can use

# mysql_config_editor print --all
[production]
user = root
password = *****
[beta]
user = root
password = *****

Removing profiles is as easy as

# mysql_config_editor remove --login-path=production


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

TDD Deciphered

Posted: 2017-02-09 12:16:58 by Alasdair Keyes

Direct Link | RSS feed


I recently happened upon this website about how to use TDD when building a project. Although it's written for PHP and PHPUnit, the premise can be applied to any language. The great thing about this site over others is that it actually shows TDD on the lifecycle of a valid project, not just using trivial one off examples.

https://tdd-deciphered.com/


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

PHP Apigen

Posted: 2016-12-28 20:34:21 by Alasdair Keyes

Direct Link | RSS feed


After discussions at work on producing code documentation, I was introduced to http://www.apigen.org/.

I'm not quite sure how I've not seen it before, but it is very slick and certainly something I'm going to look at using int he future.

More information about what it does can be seen on their site, but it essentially reads the PHPdoc blocks in your code and outputs to a nice HTML page that you can publish.

The key part is just how easy it is, from the root of your project run

apigen generate --source src_folder --destination public/docs

You can easily add it into a script for jenkins or for local a development branch, add it into the post update/install commands of your composer.json.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Strengthen your PHP Composer dependencies

Posted: 2016-12-21 22:38:22 by Alasdair Keyes

Direct Link | RSS feed


For those of you that use Composer to install and manage dependencies in your PHP App, you may be interested in https://github.com/Roave/SecurityAdvisories.

When updating your dependencies, it will alert if the versions you are using contain known vulnerabilities. It's quite simple in it's operation, the composer.json file populates the conflict key with a list of package versions that are known to be insecure so composer will fail to update.

The list isn't exhaustive, but it contains a number of large packages such as Doctrine, Drupal, Zend, Symfony


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Blog update to markdown

Posted: 2016-11-26 12:27:11 by Alasdair Keyes

Direct Link | RSS feed


For the duration of this blog's life the HTML for the post has been stored directly in the database.

I have now decided to move to Markdown as it is so much cleaner and easier to use. I've implemented the PHP Parsedown Library and the existing articles are slowly being migrate to markdown in small batches and the old ones still in HTML... because I really can't face changing all the articles at once. Hopefully if all has gone OK, you won't notice anything (as is mostly the way with IT)


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

OSX Sierra Upgrade and broken dev tools

Posted: 2016-11-25 13:03:53 by Alasdair Keyes

Direct Link | RSS feed


I upgraded my work Macbook from OSX El Capitan to Sierra after which git started returning a very unfriendly message

$ git status
git xcrun: error: invalid active developer path (/Library/Developer/CommandLineTools), missing xcrun at: /Library/Developer/CommandLineTools/usr/bin/xcrun

It turns out to be an issue with the OSX developer tools installation. Reinstall it with the following (requires sudo password) and you'll be good to go.

$ xcode-select --install


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Vagrant insecure key detected

Posted: 2016-11-17 22:26:51 by Alasdair Keyes

Direct Link | RSS feed


I recently downloaded the Ansible Tower free trial.

They have an easy to use Vagrant setup, however when running it on my Linux Mint box, I received the following error

default: Inserting generated public key within guest...
default: Removing insecure key from the guest if it's present...
default: Key inserted! Disconnecting and reconnecting using new SSH key...
default: Warning: Authentication failure. Retrying...
default: Warning: Authentication failure. Retrying...

If the box is just a trial and security is not of prime importance, you can add the following to the Vagrantfile to resolve it.

config.ssh.insert_key = false

And you it should build fine and allow you access with a vagrant ssh


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Sullen Server

Posted: 2016-09-12 20:54:42 by Alasdair Keyes

Direct Link | RSS feed


Sad Server is sad.

https://twitter.com/sadserver


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Up and atom

Posted: 2016-08-28 13:51:25 by Alasdair Keyes

Direct Link | RSS feed


Over the past week, I've been trying to move towards using an IDE for my personal projects. I use PHPStorm at work, however I would like to use Open Source at home. I like the power of VIM, but sometimes I feel like I'm being held back by not utilising the full functionality available on a dedicated IDE. I've been doing a bit of testing and I quite like Github's Atom IDE.

There's more than enough posts about what's good and bad with it, I won't rehash it. However I do like the extensibility of it, having installed a number of packages to provide extra functionality. In keeping with being able to set up my machines from a fresh install with Puppet.. The following puppet snippet will install atom and the required packages from the $apm_packages array.

Due to the use of the puppet "each" function you will need to run this with the future parser option puppet apply --parser=future puppet_file.pp

$apm_packages = [
  "file-watcher",
  "perltidy",
  "perldoc",
  "linter-perl",
  "linter-puppet",
  "language-puppet",
]

$my_system_user = "bill";

file { "personal_atom_package_folder":
  path      => "/home/$my_system_user/.atom/packages/",
  ensure    => "directory",
  require   => Package["atom"],
}

each($apm_packages) |$package_name| {

  exec { "apm_$package_name":
    path        => [ "/usr/bin", "/bin" ],
    command     => "apm install $package_name",
    creates     => "/home/$my_system_user/.atom/packages/$package_name",
    user        => $my_system_user,
    environment => ["HOME=/home/$my_system_user"],
    require     => Package["atom"],
  }
}


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Open Source Slack

Posted: 2016-08-27 14:43:02 by Alasdair Keyes

Direct Link | RSS feed


Slack has been gaining a lot of traction for collaboration in the IT world over the last few years and it's quite a good tool but the "Cloud" aspect of it and the potential lack of privacy that comes with it is a big concern. Slack is often used to transfer files with business data and transmit data passwords (a practice I'm very much against). Although it uses TLS to stop snoopers betweeon your client and Slack itself, having Slack hold on to all your conversations is a worrying proposal for a business.

Enter Mattermost, an open source alternative to Slack that you install into your own infrastructure. It has a free cut-down version and further more advanced versions for a fee, however the basic slack functionality you're used to is all available in the free version.

The interface is heavily influenced by Slack and everything is where you'd expect and includes apps for all major OSes including Linux.

The downside of Mattermost is the management of the stack on your infrastructure, backups, updates etc but if you have an existing IT team, this should be a very minimal workload addition for the security and peace of mind that all your shared files/conversations are all stored in-house.

For testing they also provide an easy to install docker image, well worth a test.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

© Alasdair Keyes

IT Consultancy Services

I'm now available for IT consultancy and software development services - Cloudee LTD.



Happy user of Digital Ocean (Affiliate link)


Version:master-3093fcc3d4


Validate HTML 5