MySQL login password encryption authentication script

First, login password encryption authentication script application Scenario

Daily operation, the MySQL password is often specified in plaintext to log in to the MySQL service, the following warning will be thrown after successful login:
[Email protected] ~]# mysql-uroot-p ' Wujianwei '

Warning: Using a password on the command line interface can be insecure.Welcome to the MySQL monitor.  

Warning is not allowed for demanding business production scenarios, so it may be necessary to customize the logic of this error yourself.
Of course, if you do not need to know the password, can be a different way to do it, in fact, it is OK, Beginning with the Loginpath in 5.6, and the function of the wallet in Oracle is similar, in fact, is a kind of authentication, do the authorization, you do not need to know this information, Loginpath is a bridge for you to do certification.
If you are in the 5.5 version, without Loginpath, there is no other solution to meet the demand.
Some people may start asking this time, what is the demand?
Let's imagine, in the command line way, enter the plaintext password, that also want the password why, simply I enter the password when you don't look, but the history command inside there ah.
So this is also a risk point of the entrance, if because of some unexpected situation logged in, then this situation is very embarrassing. This is the demand one.
There is also a scenario where, if we have a large number of MySQL environments, the DBA account password for each environment is uniform, but the password is complex. We can not enter the plaintext, then enter the password format, which means that the interaction and manual input, the manual input is simply, you will find this operation is really primitive, advanced point, with Keypass or keepass, etc., this is dependent on the local environment configuration. So the characteristics of demand two is manual maintenance password wordy, manual input password is too primitive.
Then we write the script, but the password inside the script is still visible, the call of the plaintext password problem solved, but the content of the password is still readable.
So in this case, a natural way is to encrypt.
One of them is to encrypt the password, for example, we get a password encrypted string, when the need to call to do a decryption, to get the real password. This process is implemented in the script logic, so we have lower probability of getting the plaintext password.
Another kind is the file encryption, such as the entire file encryption, encryption after the file will not be able to read. So the encrypted password is encrypted again. There are shells for encrypting files and languages like Python.
If the script is to be called, it is to decrypt the file first, then call the decryption logic, get the real password, and then open the access request.
For example, I got an encrypted cipher string. The decryption logic of the call is DECRYPT_PASSWD, and of course this is readable and reversible.

Second, Linux under the Base64 command and decryption string

Base64 encryption and decryption Webmaster tools:
https://base64.supfree.net/

2.1 Encryption:

[[email protected] ~]# echo wujianwei|base64 d3VqaWFud2VpCg==

2.2 Decryption:

[[email protected] ~]# echo d3VqaWFud2VpCg==|base64 -dwujianwei

2.3 Account password encryption from MySQL database backup is derived from Base64 encryption

The script reads as follows:
[email protected] ~]# cat test03.sh

#!/bin/shPass=‘d3VqaWFud2VpCg==‘sock=/tmp/mysql.sockfunction decrypt_passwd{tmp_pass=$1dec_pass=`echo $tmp_pass|base64 -d`}decrypt_passwd $Passport=$1#if [ ! -n "$port" ]; then#echo ‘############################################‘#echo ‘Please input correct MySQL Port and try again.‘#echo ‘############################################‘#ps -ef|grep mysqld|grep -v grep |grep -v mysqld_safe#exit#fi/usr/local/mysql/bin/mysql -uroot -p$dec_pass  -P$1  -S$sock

Log in to the MySQL service through this script, here has implemented the Script Password transformation mode login MySQL Service
[[Email protected] ~]# sh test03.sh.sh 3306

Warning: Using a password on the command line interface can be insecure.Welcome to the MySQL monitor.  

Third, the Linux Shell encryption and decryption method Gzexe

Reference Address:
Http://www.isays.cn/7336.html

Gzexe no need to install any software is Linux comes with the function to use only need to execute commands

3.1. Encryption method:

If we call this script the name test03.sh.
Then we can execute Gzexe test03.sh on the linux Server command.

[[email protected] ~]# gzexe  test03.shtest03.sh:   51.3%

When the original file is encrypted, a test03.sh~ file is generated in the directory, which is the backup of the original file.

[[email protected] ~]# ll test03.sh*-rwxr-xr-x 1 root root 1122 Jul 20 16:57 test03.sh-rwxr-xr-x 1 root root  587 Jul 20 16:55 test03.sh~

Discover that the test03.sh script has become a binary file
Such as:

[[email protected] ~]# chmod +x test03.sh[[email protected] ~]# ll test03.sh-rwxr-xr-x 1 root root 1128 Jul 20 22:56 test03.sh[[email protected] ~]# cp test03.sh /usr/local/sbin/

Log in to MySQL:
[Email protected] ~]# test03.sh 3306

Warning: Using a password on the command line interface can be insecure.Welcome to the MySQL monitor.  

3.2. Decryption method:

If we call this script the name test03.sh.
Then we'll do it.
Gzexe-d test03.sh
The original file was decrypted and placed in the directory.
View test03.sh content, the fact that the contents of the file has been decrypted
[email protected] ~]# cat test03.sh

#!/bin/shsock=/tmp/mysql.sockPass="d3VqaWFud2VpCg=="function decrypt_passwd{tmp_pass=$1dec_pass=`echo $tmp_pass|base64 -d`}decrypt_passwd $Passport=$1#if [ ! -n "$port" ]; then#echo ‘############################################‘#echo ‘Please input correct MySQL Port and try again.‘#echo ‘############################################‘#ps -ef|grep mysqld|grep -v grep |grep -v mysqld_safe#exit#fi/usr/local/mysql/bin/mysql -uroot -p$dec_pass  -P$1  -S$sock

Four, the encryption software SHC

SHC is a cryptographic script plugin for Linux. It's more secure. We can use

4.1. SHC Software Installation

shc官网:https://github.com/yanncam/UnSHcwget -q http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.9.tgztar zxvf shc-3.8.9.tgzcd shc-3.8.9make

[[email protected] shc-3.8.9]# makecc -Wall  shc.c -o shc*** Do you want to probe shc with a test script?*** Please try...   make test[[email protected] shc-3.8.9]# make install*** Installing shc and shc.1 on /usr/local*** Do you want to continue? yesinstall -c -s shc /usr/local/bin/install -c -m 644 shc.1 /usr/local/man/man1/install: target `/usr/local/man/man1/‘ is not a directory: No such file or directorymake: *** [install] Error 1请创建 mkdir -p /usr/local/man/man1/  ，然后运行make install

4.2. Introduction of common parameters

-e Date (Specify expiration date)
-M message (specify information for expiration prompts)
-F Script_name (specifies the path and file name of the shell to be compiled)
-R Relax Security. (can be performed on different systems of the same operating system)
-V Verbose Compilation (details of compilation)

4.3, SHC Software encryption use

If we call this script the name test03.sh.
Then we'll do it.
Shc-v-F test03.sh
-V is the real-world encryption process
-F followed by files that need to be encrypted

[Email protected] ~]# shc-v-F test03.sh

shc shll=shshc [-i]=-cshc [-x]=exec ‘%s‘ "[email protected]"shc [-l]=shc opts=shc: cc  test03.sh.x.c -o test03.sh.xshc: strip test03.sh.xshc: chmod go-r test03.sh.x[[email protected] ~]# ll test03.sh*-rwxr-xr-x 1 root root   598 Jul 20 17:36 test03.sh-rwx--x--x 1 root root 12376 Jul 20 17:36 test03.sh.x-rw-r--r-- 1 root root 12805 Jul 20 17:36 test03.sh.x.c

Test03.sh.x is a binary file that can be executed directly after the Execute permission is given. Change the name MV test03.sh.x test03.sh
TEST03.SH.X.C is a C source file. Basic useless, can delete
[Email protected] ~]# MV test03.sh.x test03.sh
Verify that the file is a binary file:

Log in to MySQL service:
[Email protected] ~]#/test03.sh 3306

Warning: Using a password on the command line interface can be insecure.Welcome to the MySQL monitor.  

4.4. SHC Expired Encryption method

The other SHC also provides a way to set an effective execution period, expiration time, such as:
#shc-E 14/09/2016-m-F test03.sh
The option "-e" Specifies the expiration time, in the format "Day/month/year", and the option "-M" to specify the prompt to execute this shell program after expiration.
If you execute after expiration, you will be prompted with the following:
#./test03.sh.x
./test03.sh.x:has expired! (file has expired)
Use the above method to note that to prevent users from changing the system time, you can resolve this issue by adding a command to automatically update the system time in the program.

4.5, SHC Encrypted File decryption method

Use this script to decrypt
Https://github.com/yanncam/UnSHc

[[email protected] ~]# wget https://github.com/yanncam/unshc/archive/master.zip[[email protected] ~]# Unzip Master.zip Archive:master.zip202e5c200005a1b8e474fbfccfb983a582708da1 CREATING:UNSHC-MASTER/INFLATING:UNSHC -master/readme.md creating:unshc-master/latest/inflating:unshc-master/latest/unshc.sh creating:unshc-master/r Elease/creating:unshc-master/release/0.2/inflating:unshc-master/release/0.2/unshc-v0.2.sh Inflating:unshc-maste     R/release/0.2/unshc-v0.2b.sh creating:unshc-master/release/0.3/inflating:unshc-master/release/0.3/unshc-v0.3.sh Creating:unshc-master/release/0.4/inflating:unshc-master/release/0.4/unshc-v0.4.sh Creating:unshc-master/relea Se/0.5/inflating:unshc-master/release/0.5/unshc-v0.5.sh Creating:unshc-master/release/0.6/inflating:unshc-maste     R/release/0.6/unshc-v0.6.sh creating:unshc-master/release/0.7/inflating:unshc-master/release/0.7/unshc-v0.7.sh creating:unshc-master/release/0.8/  Inflating:unshc-master/release/0.8/unshc-v0.8.sh creating:unshc-master/sample/inflating:unshc-master/sample/tes   t.sh inflating:unshc-master/sample/test.sh.x inflating:unshc-master/sample/test.sh.x.c

[[email protected] latest]# cd/root/unshc-master/latest;
[[email protected] latest]#./unshc.sh-h

 _   _       _____ _   _      | | | |     /  ___| | | | | | | |_ __ \ `--.| |_| | ___ | | | | ' _ \ '--. \  _  |/ __|| |_| | | | /\__/ / | | | (__ \___/|_| |_\____/\_| |_/\___|---unshc-the SHC decrypter.---version:0.8------------------------------unshc are use   D to decrypt script encrypted with shcoriginal idea from Luiz Octavio Duarte (LOD) Updated and modernized by Yann CAM-SHC : [http://www.datsi.fi.upm.es/~frosal/]-UNSHC: [https://www.asafety.fr/unshc-the-shc-decrypter/]---------------- --------------[*] Usage:./unshc.sh [OPTIONS] <file.sh.x>-H | --help:print this help message-a OFFSET | --ARC4 offset:specify the ARC4 () OFFSET arbitrarily (without 0x prefix)-D dumpfile | --dumpfile dumpfile:provide An object dump file (objdump-d script.sh.x > DumpFile)-S strfile | --stringfile strfile:provide A string dump file (objdump-s script.sh.x > strfile)-o OUTFILE | --outputfile OUTFILE:Indicate the output file name[*] e.g:./unshc.sh script.sh.x./unshc.sh script.sh.x-o script_decrypted.sh./un shc.sh script.sh.x-a 400f9b./unshc.sh script.sh.x-d/tmp/dumpfile-s/tmp/strfile./unshc.sh script.sh.x-a 400f9  b-d/tmp/dumpfile-s/tmp/strfile-o script_decrypted.sh[[email protected] latest]#

[[email protected] ~]#/root/unshc-master/latest/unshc.sh test03.sh

 _   _       _____ _   _      | | | |     /  ___| | | | | | | |_ __ \ `--.| |_| | ___ | | | | ' _ \ '--. \  _  |/ __|| |_| | | | /\__/ / | | | (__ \___/|_| |_\____/\_| |_/\___|---unshc-the SHC decrypter.---version:0.8------------------------------unshc are use   D to decrypt script encrypted with shcoriginal idea from Luiz Octavio Duarte (LOD) Updated and modernized by Yann CAM-SHC : [http://www.datsi.fi.upm.es/~frosal/]-UNSHC: [https://www.asafety.fr/unshc-the-shc-decrypter/]---------------- --------------[*] Input file name to decrypt [test03.sh][+] ARC4 address call candidate: [0x400ea0][*] extracting each AR    GS address and size for the ARC4 () calls with address [0x400ea0] ... [0] Working with VAR address @ Offset [0x6022e4] (0x2a bytes) [1] working with VAR address at offset [0X6026AF] (0x1 b Ytes) [2] working with VAR address @ Offset [0x6026b1] (0x8 bytes) [3] working with VAR address at offset [0X6026BB ] (0x3 bytes) [4] working with VAR address at OFFSEt [0x6027f7] (0xf bytes) [5] Working with VAR address @ Offset [0x602693] (0x1 bytes) [6] working with VAR address At offset [0x60280a] (0x16 bytes) [7] working with VAR address at offset [0x602695] (0x16 bytes) [8] Working with VA R address at offset [0x602825] (0x13 bytes) [9] working with VAR address at offset [0x6026b0] (0x1 bytes) [Ten] Worki    Ng with var address at offset [0x602838] (0x1 bytes) [one] working with VAR address at offset [0x60239c] (0x257 bytes) [working] with VAR address @ Offset [0x60267d] (0x13 bytes) [working] with VAR address at offset [0x602668] (0    x13 bytes) [*] Extracting password ... [+] PWD address found: [0X6026E2] [+] pwd size found: [0x100][*] executing [/tmp/0kq6m3] to decrypt [test03.sh][*] Retrie Ving Tsun Initial source code in [test03.sh.sh][*] all done!  [[email protected] ~]#

[email protected] ~]# ll test03.sh*

-rwx--x--x 1 root root 12184 Jul 20 23:36 test03.sh-rw-r--r-- 1 root root   

At this point test03.sh.sh this file is the original file
[email protected] ~]# cat test03.sh.sh

#!/bin/shsock=/tmp/mysql.sockPass="d3VqaWFud2VpCg=="function decrypt_passwd{tmp_pass=$1dec_pass=`echo $tmp_pass|base64 -d`}decrypt_passwd $Passport=$1#if [ ! -n "$port" ]; then#echo ‘############################################‘#echo ‘Please input correct MySQL Port and try again.‘#echo ‘############################################‘#ps -ef|grep mysqld|grep -v grep |grep -v mysqld_safe#exit#fi/usr/local/mysql/bin/mysql -uroot -p$dec_pass  -P$1  -S$sock

The encryption demo of MySQL login password is completed here. Students are welcome to exchange their study together

MySQL login password encryption authentication script