One place for hosting & domains

      Password

      How To Reset Your MySQL or MariaDB Root Password on Ubuntu 20.04


      The author selected the COVID-19 Relief Fund to receive a donation as part of the Write for DOnations program.

      Introduction

      Forgot your database password? It happens to the best of us. If you’ve forgotten or lost the root password to your MySQL or MariaDB database, you can still gain access and reset the password if you have access to the server and a user account with sudo privileges.

      This tutorial demonstrates how to reset the root password for MySQL and MariaDB databases installed with the apt package manager on Ubuntu 20.04. The procedure for changing the root password differs depending on whether you have MySQL or MariaDB installed and the default systemd configuration that ships with the distribution or packages from other vendors. While the instructions in this tutorial may work with other system or database server versions, they have been tested with Ubuntu 20.04 and distribution-supplied packages.

      Note: On fresh Ubuntu 20.04 installations, the default MySQL or MariaDB configuration usually allows you to access the database (with full administrative privileges) without providing a password as long as you make the connection from the system’s root account. In this scenario, it may not be necessary to reset the password. Before you proceed with resetting your database root password, try to access the database with the sudo mysql command. Only if the default configuration for authentication was altered, and this results in an access denied error, follow the steps in this tutorial.

      Prerequisites

      To recover your MySQL or MariaDB root password, you will need:

      Note: Both database installation guides retain the default configuration for the database root account where a password is not needed to authenticate, as long as you can access the system’s root account. You can still follow this guide to set and verify a new password.

      Step 1 — Identifying the Database Version and Stopping the Server

      Ubuntu 20.04 runs either MySQL or MariaDB—a popular drop-in replacement that is fully compatible with MySQL. You’ll need to use different commands to recover the root password depending on which of these you have installed, so follow the steps in this section to determine which database server you’re running.

      Check your version with the following command:

      If you’re running MariaDB, you’ll see “MariaDB” preceded by the version number in the output:

      MariaDB output

      mysql Ver 15.1 Distrib 10.3.25-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

      You’ll see output like this if you’re running MySQL:

      MySQL output

      mysql Ver 8.0.22-0ubuntu0.20.04.3 for Linux on x86_64 ((Ubuntu))

      Note the database you are running. This will determine the appropriate commands to follow in the rest of this tutorial.

      In order to change the root password, you’ll need to shut down the database server. If you’re running MariaDB, you can do so with the following command:

      • sudo systemctl stop mariadb

      For MySQL, shut down the database server by running:

      • sudo systemctl stop mysql

      With the database stopped, you can restart it in safe mode to reset the root password.

      Step 2 — Restarting the Database Server Without Permission Checks

      Running MySQL and MariaDB without permission checking allows accessing the database command line with root privileges without providing a valid password. To do this, you need to stop the database from loading the grant tables, which store user privilege information. Since this is a bit of a security risk, you may also want to disable networking to prevent other clients from connecting to the temporarily vulnerable server.

      Depending on which database server you’ve installed, the way of starting the server without loading the grant tables differs.

      Configuring MariaDB to Start Without Grant Tables

      In order to start the MariaDB server without the grant tables, we’ll use the systemd unit file to set additional parameters for the MariaDB server daemon.

      Execute the following command, which sets the MYSQLD_OPTS environment variable used by MariaDB upon startup. The --skip-grant-tables and --skip-networking options tell MariaDB to start up without loading the grant tables or networking features:

      • sudo systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"

      Then start the MariaDB server:

      • sudo systemctl start mariadb

      This command won’t produce any output, but it will restart the database server, taking into account the new environment variable settings.

      You can ensure it started with sudo systemctl status mariadb.

      Now you should be able to connect to the database as the MariaDB root user without supplying a password:

      You’ll immediately see a database shell prompt:

      Now that you have access to the database server, you can change the root password as shown in Step 3.

      Configuring MySQL to Start Without Grant Tables

      In order to start the MySQL server without its grant tables, you’ll alter the systemd configuration for MySQL to pass additional command-line parameters to the server upon startup.

      To do this, execute the following command:

      • sudo systemctl edit mysql

      This command will open a new file in the nano editor, which you’ll use to edit MySQL’s service overrides. These change the default service parameters for MySQL.

      This file will be empty. Add the following content:

      MySQL service overrides

      [Service]
      ExecStart=
      ExecStart=/usr/sbin/mysqld --skip-grant-tables --skip-networking
      

      The first ExecStart statement clears the default value, while the second one provides systemd with the new startup command, including parameters to disable loading the grant tables and networking capabilities.

      Press CTRL-x to exit the file, then Y to save the changes that you made, then ENTER to confirm the file name.

      Reload the systemd configuration to apply these changes:

      • sudo systemctl daemon-reload

      Now start the MySQL server:

      • sudo systemctl start mysql

      The command will show no output, but the database server will start. The grant tables and networking will not be enabled.

      Connect to the database as the root user:

      You’ll immediately see a database shell prompt:

      Now that you have access to the server, you can change the root password.

      Step 3 — Changing the Root Password

      The database server is now running in a limited mode; the grant tables are not loaded, and there’s no networking support enabled. This lets you access the server without providing a password, but it prohibits you from executing commands that alter data. To reset the root password, you must load the grant tables now that you’ve gained access to the server.

      Tell the database server to reload the grant tables by issuing the FLUSH PRIVILEGES command:

      You can now change the root password. The method you use depends on whether you are using MariaDB or MySQL.

      Changing the MariaDB Password

      If you are using MariaDB, execute the following statement to set the password for the root account, making sure to replace new_password with a strong new password that you’ll remember:

      • ALTER USER 'root'@'localhost' IDENTIFIED BY 'new_password';

      You’ll see this output indicating that the password changed:

      Output

      Query OK, 0 rows affected (0.001 sec)

      MariaDB allows using custom authentication mechanisms, so execute the following two statements to make sure MariaDB will use its default authentication mechanism for the new password you assigned to the root account:

      • UPDATE mysql.user SET authentication_string = '' WHERE user="root";
      • UPDATE mysql.user SET plugin = '' WHERE user="root";

      You’ll see the following output for each statement:

      Output

      Query OK, 0 rows affected (0.01 sec)

      The password is now changed. Type exit to exit the MariaDB console and proceed to Step 4 to restart the database server in normal mode.

      Changing the MySQL Password

      For MySQL, execute the following statement to change the root user’s password, replacing new_password with a strong password you’ll remember. MySQL allows using custom authentication mechanisms, so the following statement also makes sure that MySQL will use its default authentication mechanism to authenticate the root user using the new password:

      • ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'new_password';

      You’ll see this output indicating the password was changed successfully:

      Output

      Query OK, 0 rows affected (0.01 sec)

      The password is now changed. Exit the MySQL console by typing exit.

      Let’s restart the database in normal operational mode.

      Step 4 — Reverting Your Database Server to Normal Settings

      In order to restart the database server in its normal mode, you have to revert the changes you made so that networking is enabled and the grant tables are loaded. Again, the method you use depends on whether you used MariaDB or MySQL.

      For MariaDB, unset the MYSQLD_OPTS environment variable you set previously:

      • sudo systemctl unset-environment MYSQLD_OPTS

      Then, restart the service using systemctl:

      • sudo systemctl restart mariadb

      For MySQL, remove the modified systemd configuration:

      • sudo systemctl revert mysql

      You’ll see output similar to the following:

      Output

      Removed /etc/systemd/system/mysql.service.d/override.conf. Removed /etc/systemd/system/mysql.service.d.

      Then, reload the systemd configuration to apply the changes:

      • sudo systemctl daemon-reload

      Finally, restart the service:

      • sudo systemctl restart mysql

      The database is now restarted and is back to its normal state. Confirm that the new password works by logging in as the root user with a password:

      You’ll be prompted for a password. Enter your new password, and you’ll gain access to the database prompt as expected.

      Conclusion

      You have restored administrative access to the MySQL or MariaDB server. Make sure the new password you chose is strong and secure, and keep it in a safe place.

      For more information on user management, authentication mechanisms, or ways of resetting database passwords for other versions of MySQL or MariaDB, please refer to the official MySQL documentation or MariaDB documentation.



      Source link

      How To Set Up Password Authentication with Apache on Ubuntu 18.04 [Quickstart]


      Introduction

      This tutorial will walk you through password-protecting assets on an Apache web server running on Ubuntu 18.04. Completing these steps will provide your server with additional security so that unauthorized users cannot access certain parts of your page.

      For a more detailed version of this tutorial, with more detailed explanations of each step, please refer to How To Set Up Password Authentication with Apache on Ubuntu 18.04.

      Prerequisites

      In order to complete this tutorial, you will need access to the following on an Ubuntu 18.04 server:

      Step 1 — Install the Apache Utilities Package

      We’ll install a utility called htpasswd, part of the apache2-utils package to manage usernames and passwords with access to restricted content.

      • sudo apt-get update
      • sudo apt-get install apache2-utils

      Step 2 — Create the Password File

      We’ll create the first user as follows (replace `first_username with username of your choice):

      • sudo htpasswd -c /etc/apache2/.htpasswd first_username

      You will be asked to supply and confirm a password for the user.

      Leave out the -c argument for any additional users you wish to add so you don’t overwrite the file:

      • sudo htpasswd /etc/apache2/.htpasswd another_user

      Step 3 — Configure Apache Password Authentication

      In this step, we need to configure Apache to check this file before serving our protected content. We will do this by using the site’s virtual host file, but there is another option detailed in the longer tutorial if you don’t have access or prefer to use .htaccess files instead.

      Open up the virtual host file that you wish to add a restriction to with a text editor such as nano:

      • sudo nano /etc/apache2/sites-enabled/default-ssl.conf

      Authentication is done on a per-directory basis. In our example, we’ll restrict the entire document root, but you can modify this listing to only target a specific directory within the web space.

      In this step, add the following highlighted lines in your file:

      /etc/apache2/sites-enabled/default-ssl.conf

      <VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
      
        <Directory "/var/www/html">
            AuthType Basic
            AuthName "Restricted Content"
            AuthUserFile /etc/apache2/.htpasswd
            Require valid-user
        </Directory>
      </VirtualHost>
      

      Check the configuration with the following command:

      You can restart the server to implement your password policy, and then check the status of your server.

      • sudo systemctl restart apache2
      • sudo systemctl status apache2

      Step 4 — Confirm Password Authentication

      To confirm that your content is protected, try to access your restricted content in a web browser. You should be presented with a username and password prompt:

      Apache2 password prompt

      Here are links to more detailed guides related to this tutorial:



      Source link

      How To Set Up Password Authentication with Apache on Ubuntu 18.04


      Introduction

      As a web administrator, you may find it valuable to restrict some parts of a website from visitors, whether temporarily or on a permanent basis. While web applications may provide their own authentication and authorization methods, you can also rely on the web server itself to restrict access if these are inadequate or unavailable.

      This tutorial will walk you through password-protecting assets on an Apache web server running on Ubuntu 18.04 in order to provide your server with additional security.

      Prerequisites

      In order to complete this tutorial, you will need access to an Ubuntu 18.04 server.

      In addition, you will need the following setup before you can begin:

      • A sudo user on your server: You can create a user with sudo privileges by following the Ubuntu 18.04 initial server setup guide.

      • An Apache2 web server: If you haven’t already set one up, the How To Install the Apache Web Server on Ubuntu 18.04 tutorial can guide you.

      • A site secured with SSL: How you set this up depends on whether you have a domain name for your site.

        • If you have a domain name, you can secure your site with Let’s Encrypt, which provides free, trusted certificates. Follow the Let’s Encrypt guide for Apache to set this up.
        • If you do not have a domain and you are just using this configuration for testing or personal use, you can use a self-signed certificate instead. This provides the same type of encryption, but without the domain validation. Follow the self-signed SSL guide for Apache to get set up.

      When all of these are in place, log into your server as the sudo user and continue below.

      Step 1 — Installing the Apache Utilities Package

      Let’s begin by updating our server and installing a package that we’ll need. In order to complete this tutorial, we will be using a utility called htpasswd, part of the apache2-utils package, to create the file and manage the username and passwords needed to access restricted content.

      • sudo apt-get update
      • sudo apt-get install apache2-utils

      With this installed, we now have access to the htpasswd command.

      Step 2 — Creating the Password File

      The htpasswd command will allow us to create a password file that Apache can use to authenticate users. We will create a hidden file for this purpose called .htpasswd within our /etc/apache2 configuration directory.

      The first time we use this utility, we need to add the -c option to create the specified passwdfile. We specify a username (sammy in this example) at the end of the command to create a new entry within the file:

      • sudo htpasswd -c /etc/apache2/.htpasswd sammy

      You will be asked to supply and confirm a password for the user.

      Leave out the -c argument for any additional users you wish to add so you don’t overwrite the file:

      • sudo htpasswd /etc/apache2/.htpasswd another_user

      If we view the contents of the file, we can see the username and the encrypted password for each record:

      • cat /etc/apache2/.htpasswd

      Output

      sammy:$apr1$.0CAabqX$rb8lueIORA/p8UzGPYtGs/ another_user:$apr1$fqH7UG8a$SrUxurp/Atfq6j7GL/VEC1

      We now have our users and passwords in a format that Apache can read.

      Step 3 — Configuring Apache Password Authentication

      In this step, we need to configure Apache to check this file before serving our protected content. We can do this in one of two ways: either directly in a site’s virtual host file or by placing .htaccess files in the directories that need restriction. It’s generally best to use the virtual host file, but if you need to allow non-root users to manage their own access restrictions, check the restrictions into version control alongside the website, or have a web application using .htaccess files for other purposes already, check out the second option.

      Choose the option that best suits your needs.

      Option 1: Configuring Access Control within the Virtual Host Definition (Preferred)

      The first option is to edit the Apache configuration and add the password protection to the virtual host file. This will generally give better performance because it avoids the expense of reading distributed configuration files. This option requires access to the configuration, which isn’t always available, but when you do have access, it’s recommended.

      Begin by opening up the virtual host file that you wish to add a restriction to. For our example, we’ll be using the default-ssl.conf file that holds the default virtual host installed through Ubuntu’s apache package. Open up the file with a command-line text editor such as nano:

      • sudo nano /etc/apache2/sites-enabled/default-ssl.conf

      Inside, with the comments stripped, the file should look similar to this:

      /etc/apache2/sites-enabled/default-ssl.conf

      <VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
      </VirtualHost>
      

      Authentication is done on a per-directory basis. To set up authentication, you will need to target the directory you wish to restrict with a <Directory ___> block. In our example, we’ll restrict the entire document root, but you can modify this listing to only target a specific directory within the web space:

      /etc/apache2/sites-enabled/default-ssl.conf

      <VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
      
        <Directory "/var/www/html">
        </Directory>
      </VirtualHost>
      

      Within this directory block, specify that we are setting up Basic authentication. For the AuthName, choose a realm name that will be displayed to the user when prompting for credentials. Use the AuthUserFile directive to point Apache to the password file we created. Finally, make it a requirement that only a valid-user may access this resource, which means anyone who can verify their identity with a password will be allowed in:

      /etc/apache2/sites-enabled/default-ssl.conf

      <VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
      
        <Directory "/var/www/html">
            AuthType Basic
            AuthName "Restricted Content"
            AuthUserFile /etc/apache2/.htpasswd
            Require valid-user
        </Directory>
      </VirtualHost>
      

      Save and close the file when you are finished. If you are using nano, you can do so by pressing CTRL+X followed by Y then ENTER.

      Before restarting the web server, you can check the configuration with the following command:

      • sudo apache2ctl configtest

      If everything checks out and you get Syntax OK as output, you can restart the server to implement your password policy. Since systemctl doesn’t display the outcome of all service management commands, we’ll use the the status to be sure the server is running:

      • sudo systemctl restart apache2
      • sudo systemctl status apache2

      Now, the directory you specified should be password protected.

      Option 2: Configuring Access Control with .htaccess Files

      Apache can use .htaccess files in order to allow certain configuration items to be set within a content directory. Since Apache has to re-read these files on every request that involves the directory, which can negatively impact performance, Option 1 is preferred, but if you are already using .htaccess file or need to allow non-root users to manage restrictions, .htaccess files make sense.

      To enable password protection using .htaccess files, open the main Apache configuration file with a command-line text editor such as nano:

      • sudo nano /etc/apache2/apache2.conf

      Find the <Directory> block for the /var/www directory that holds the document root. Turn on .htaccess processing by changing the AllowOverride directive within that block from None to All:

      /etc/apache2/apache2.conf

      . . .
      
      <Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
      </Directory>
      
      . . .
      

      Save and close the file when you are finished. If you are using nano, you can do so by pressing CTRL+X followed by Y then ENTER.

      Next, we need to add an .htaccess file to the directory we wish to restrict. In our demonstration, we’ll restrict the entire document root (the entire website) which is based at /var/www/html, but you can place this file in any directory where you wish to restrict access:

      • sudo nano /var/www/html/.htaccess

      Within this file, specify that we wish to set up Basic authentication. For the AuthName, choose a realm name that will be displayed to the user when prompting for credentials. Use the AuthUserFile directive to point Apache to the password file we created. Finally, we will require a valid-user to access this resource, which means anyone who can verify their identity with a password will be allowed in:

      /var/www/html/.htaccess

      AuthType Basic
      AuthName "Restricted Content"
      AuthUserFile /etc/apache2/.htpasswd
      Require valid-user
      

      Save and close the file. Restart the web server to password protect all content in or below the directory with the .htaccess file and use systemctl status to verify the success of the restart:

      • sudo systemctl restart apache2
      • sudo systemctl status apache2

      The directory you specified should now be password protected.

      Step 4 — Confirming Password Authentication

      To confirm that your content is protected, try to access your restricted content in a web browser. You should be presented with a username and password prompt that looks like this:

      Apache2 password prompt

      If you enter the correct credentials, you will be allowed to access the content. If you enter the wrong credentials or hit “Cancel”, you will see the “Unauthorized” error page:

      Apache2 unauthorized error

      Conclusion

      Congratulations! If you’ve followed along, you’ve now set up basic authentication for your site.

      There is much more that you can do with Apache configuration and .htaccess. To learn more about the flexibility and power available in Apache configuration, try one of these tutorials:



      Source link