Resolved MySQL admin credentials

[Yves Vogl]

Hi,

I'd like to understand why the credentials for the MySQL user "admin" are encrypted in /etc/psa/.psa.shadow but the encrypted string itself can be used as the password.

$ cat /etc/psa/.psa.shadow
$AES-128-CBC$abcdefghiklmnop==$mnbvcxylkjhgfd==

$ mysql -uadmin -p`cat /etc/psa/.psa.shadow`
Welcome to the MariaDB monitor. Commands end with ; or \g.

This adds no value for security as the secret does not need to be decrypted.

Can someone please explain this to me?

Thanks!
Yves

 

[IgorG]

Moreover, you can just run

# plesk db

and get access to Plesk database. In the scope of security the main issue here is getting the root permissions.
To improve security, the ability to retrieve the Plesk administrator password was removed in Plesk Onyx. Instead, run the plesk login command in the command line to generate a temporary token link.

 

[Yves Vogl]

As far as I understand starting from version 10.2, Plesk Panel encrypts the Administrator's password before saving it to /etc/psa/.psa.shadow.

This avoids saving the password in cleartext to prevent an information disclosure vulnerability for /etc/psa/.psa.shadow if its permissions are not restrictive enough (by accident).

And just because of convenience (and later legacy reasons) the encrypted string is used as the password for the MySQL user "admin".
They could have been separated - but with no real gain of security as the decryption key would must have been saved on the server anyway.

Did I get this right?

 

[IgorG]

Did I get this right?

Yes, you are correct.