Applicable to:
- Plesk for Linux
Question
-
How to connect to a MySQL server on Linux using a MySQL admin password in plain text?
- How to get MySQL admin password in plain text?
Answer
For security reasons, MySQL admin password is encrypted and stored in the file /etc/psa/.psa.shadow on a Plesk for Linux server.
To connect to a MySQL server using the MySQL admin password in plain text, use the encrypted string from the file /etc/psa/.psa.shadow:
-
Connect to a Plesk server via SSH.
-
Print the content of
/etc/psa/.psa.shadow:# cat /etc/psa/.psa.shadow
$AES-128-CBC$ZmY/EEpy1+TwCNq5kalqSA==$Pd02kf4TTlpXdi/qyeo92w== -
Use the string from the command above as an admin password when connecting using database management tools (MySQL Workbench, HeidiSQL, etc.).
Note: When connecting to MySQL server using a plain admin password from a Linux shell, be sure to put single quotes on the sides of the password:
# mysql -uadmin -p'$AES-128-CBC$ZmY/EEpy1+TwCNq5kalqSA==$Pd02kf4TTlpXdi/qyeo92w=='
Comments
7 comments
Regarding the above note: 'Put the backslash symbol "\" before the sign "$" - there are three $ in the string below, all of which are preceded by backslashes. Personally, I'm attempting to enable login from remote via SSH tunnel and private keys. The SSH connection is fine, but I'm still getting 'Access denied' for the admin mysql login. The password reset utility provided by Plesk allows a reset of the password, but does not allow you to specify the password, nor is there any way to recover the password.
@Scott
There is a possibility that encrypted password contains other special symbols that should be escaped with the backslash as well, for example "@", "#", "%" etc.
I suggest adding backslashes for any character in the password except numbers and Latin letters.
@Denis of course you are right, but I think this is all beside the point. I solved my problem with the following:
- Log into Plesk as admin with mysql -uadmin -p`cat /etc/psa/.psa.shadow`
- grant all on *.* to newadminuser@localhost identified by 'xxxxxxxxxxxxxxxxxxx';
My point is that if an attacker already has root access to your server with SSH, this additional encryption of the Plesk admin password is worthless, and kind of a pain. I think enabling MySql connections outside of localhost is crazy, but to restrict access when you already have (root) ssh access to the server seems really silly to me. I'm in the midst of migrating 40 or so web sites to a new server, and really didn't want to have to manage separate connections for each of those as I'm migrating and testing. Either way, if I can bypass this with one line of MySql, it's not really adding anything to the security of my server.
Hello @Scott,
Thank you for sharing your user experience and thoughts about current design.
Plesk Development team constantly works on security improvement.
As for migration, here is the useful article on how to migrate websites.
how about windows ?
@Ahmed
Check the following KB article: How to retrieve administrator's Plesk database password on Plesk 17.8 for Windows?
Even easier:
mysql -uadmin -p`cat /etc/psa/.psa.shadow`
Please sign in to leave a comment.