• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk11 new password system issues

falcon7

New Pleskian
In earlier versions of Plesk, the admin password was stored as clear-text in a file in /etc/psa. They finally fixed that hole, and the password is stored encrypted. This is a very good thing. In any scripts (like database backup scripts) that need to use that password for access to mysql, where in the old days you would have:
`cat /etc/psa/.psa.shadow`
You now can replace that with:
`/usr/local/psa/bin/admin --show-password`

Fine, this all sounds good. However I've run into a strange issue: the admin password stored
by the system and revealed through this command doesn't work with mysql directly.

Example:
% /usr/local/psa/bin/admin --show-password
<mypassword>
% mysql -uadmin -p
Enter password: <mypassword>
ERROR 1045 (28000): Access denied for user 'admin'@'localhost' (using password: YES)

This is very annoying, since this breaks my backup scripts, and one needs occassionally to do admin type work in Mysql. Anyone know how to access Mysql in the new password system?
 
Hi,

I'm afraid you are incorrect, the MySQL admin password is the same as it ever was, the contents of /etc/psa/.psa.shadow. Your scripts should not need any changes.

I'd point you to the relevant KB article but I can't find it right now, just try your script unchanged and it should work fine (does for us).

Paul.
 
# cat /etc/psa/.psa.shadow
$AES-128-CBC$yGg1y7HQvv0sZXNaSwGWvg==$Ho4j1xxe2ECx736JtV9WPw==

so, the text at that location is now encrypted
Yet, the following works! Very interesting!

# mysql -uadmin -p`cat /etc/psa/.psa.shadow`
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2856
Server version: 5.1.63-0+squeeze1 (Debian)
...

mysql>



Is this some new way of communicating the password to Mysql?
 
Hi,

this isn´t a new way. Although it looks like MySQL is given an encrypted password, it´s not. The string you see in the .psa.shadow IS the password. So, the MySQL password is really stored unencrypted, but you cannot get the Plesk admin password from that anymore.
 
and by the way take note that in the new password stored in /etc/psa/.psa.shadow has a SPACE in it. If you are calling it in any of your php scripts, please wrap it under single quotes '$AES-128-CBC$yGg1y7HQvv0sZXNaSwGWvg==$Ho4j1xxe2ECx736JtV9WP w==' otherwise you will end-up into problems ...
 
and by the way take note that in the new password stored in /etc/psa/.psa.shadow has a SPACE in it. If you are calling it in any of your php scripts, please wrap it under single quotes '$AES-128-CBC$yGg1y7HQvv0sZXNaSwGWvg==$Ho4j1xxe2ECx736JtV9WP w==' otherwise you will end-up into problems ...

There can't be a space inside the encrypted password. Though the advice to quote it with single quotes is correct. Anyway, it would be better to just use -p`cat /etc/psa/.psa.shadow` if possible to avoid storing password in multiple places.
 
Nikolay, there was a space in the early versions of Plesk 11. I just didn't realize that they have removed it with recent MUs.
 
Back
Top