Submitted by -eclipse- on Mon, 01/23/2017 - 16:00 Pro Licensee
When creating a new virtual server, the password for the user and mysql is different. I can't seem to be able to locate the option to change this so that the mysql password will be the same as the virtual server owner password.
I am using WHMCS to create new virtual servers and when doing so, the script doesn't set a mysql password, it relies to be the same as the virtual server user's password. Where do I change this setting so that it will be identically when creating the virtual server?
Looking forward to hear from you. Thanks in advance.
Submitted by andreychek on Mon, 01/23/2017 - 16:38 Comment #1
Howdy -- while there should always be a MySQL password set -- in System Settings -> Server Templates -> Default -> MySQL, there's an option named "Keep MySQL and administration usernames in sync?".
You may want to see if that's at all related to the issue you're seeing at the moment.
Submitted by -eclipse- on Mon, 01/23/2017 - 16:43 Pro Licensee Comment #2
Thanks for your reply. Yes, that one is active, but. When the virtual server is created from WHMCS it gets a virtual user password set (approx 8 characters long) and the mysql password is 15 characters long (the random password length and complexity from the virtualmin configuration page). The "always" in sync is when you change the virtual server user password it will also change the mysql password, correct? But in the creation phase it seems to be different. It could be that the WHMCS virtual server creation template doesn't handle the MySQL password but rely on the Virtualmin to create it? I am not 100% but need to look into that if I can't solve it in Virtualmin itself.
Submitted by andreychek on Mon, 01/23/2017 - 22:10 Comment #3
Ah, do you by chance have hashed passwords enabled?
Using hashed passwords can do that.
The goal with hashed passwords is never to have to store your Virtual Server owners password in plain text, so in order to achieve that hashed passwords has a separate MySQL password that's randomly generated.
Submitted by -eclipse- on Mon, 01/30/2017 - 12:27 Pro Licensee Comment #4
So if I removed the hashed password for MySQL it would use the same password as the virtual server user. But then I would compromise the password complexity / security. hmm..
Submitted by andreychek on Mon, 01/30/2017 - 12:33 Comment #5
That is correct; but note that the password security is already being compromised by storing it in plain text in your web apps :-)
So if the Virtual Server's login password is the same as the database password, there's already a security issue -- hashed passwords can't solve that.
Choosing hashed passwords solves the security issue by encrypting the Virtual Server owner's password, and making it different from the MySQL database password -- meaning that if someone discovers the plain text MySQL database password that's easily found on the filesystem, that doesn't mean they can access the Virtual Server owner's login account.