Do you use phpmyadmin?

[charles]

Quote:

Originally Posted by mousepad111

The problem is these changes are not having any effect after restarting mysql and apache. Sorry, if this is a basic question, but how am I suppose to load pma's config to have the changes take affect.

Just for grins, I purged my install of phpmyadmin and started over. Here is what I did to make it work. Note that I run debian etch. It should be similar in ubuntu, but no guarantees. I think that I noted all the steps.

1. Uninstall. "aptitude purge phpmyadmin"
2. Clean all cruft from /etc/apache2. There were some symlinks to /etc/phpmyadmin in there
3. Install. "aptitude install phpmyadmin"
4. Add symlink so apache can find phpmyadmin's config file. At a shell run
   
   Code:

   ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin.conf

5. Add an alias to phpmyadmin's apache.conf so that phpmyadmin is visible on the net. Using your favorite editor, add the following line to the end of /etc/phpmyadmin/apache.conf:
   
   Code:

   Alias /myadmin /var/www/phpmyadmin

   Note that the /myadmin can be anything you want. This is where you might use security by obscurity.
6. Modify config.inc.php to force ssl (thanks, skavoovie - I didn't know about that one). Note that I do not use the 'http' auth_type control because I don't want to fill in the control_user fields, potentially exposing the password. My file /etc/phpmyadmin/config.inc.php contains:
   
   Code:

   <?php
   $cfg['ForceSSL'] = true;
   $i = 0;
   $i++;
   $cfg['Servers'][$i]['host']          = 'localhost'; // MySQL hostname or IP address
   $cfg['Servers'][$i]['auth_type']     = 'cookie';    // Authentication method (config, http or cookie based)?
   ?>

7. Test to see if it works. Restart appache, then access your site using a browser. https://your.domain.com/myadmin/ You should be asked to login by phpmyadmin using a mysql user name & password. Accessing the site by http://... should automatically redirect you to the https://... version
8. For fun, add a second layer of security, forcing http authentication before mysql authentication.
   - Add the following to /etc/mysqladmin/apache.conf
   
   Code:

   AuthType Basic
   AuthName "phpMyAdmin"
   AuthUserFile /etc/phpmyadmin/htpasswd
   Require valid-user

   The AuthUserFile can be any path you want.
   - Create an http-authenticated user
   
   Code:

   cd /etc/phpmyadmin
   htpasswd -c htpasswd someUser
   (enter a password, twice)

   The name following the -c must be the same as in the AuthUserFile directive. Restart apache because you changed the apache.conf file.
9. Test it again. This time you should be required to authenticate twice. The first time will be with someUser, the second with the mysql user name

Quote:

Originally Posted by mousepad111

My second question relates to the recommendations to use ssh to access pma. This is similar to using putty to connect to my server via command line, correct?

No. What is being suggested is to use an SSH tunnel to use your VPS as an http proxy. You are not using SSH to talk to phpmyadmin, but are instead telling your browser to talk to phpmyadmin through the tunnel+proxy.

There are several ways of setting up a proxy. See Setting up private proxy for some of them. If you go this route, then you want to restrict phpmyadmin to use from localhost. You do this by adding the following lines to /etc/phpmyadmin/htaccess

Code:

Satisfy All
Order Deny,Allow
Allow from 127.0.0.1
Deny from all

You will also need to remove the $cfg['ForceSSL'] = true; line, because connection IP addresses are passed through the ssl connection protocol.

IMO: the security of the SSL + double authentication scheme is equal to the tunnel. Both require you to know the credentials of a user. Both permit multiple users. The SSL+double permits/forces a second user space, which I think is good, but you might not. Using the SSL tunnel permits any user that can open an ssh session to get to phpmyadmin. Of course, you could go for triple authentication (tunnel + http + mysql).

[mousepad111]

Ah, I was just about to make another plea for help when I saw your new post Charles. This info. looks great, I will have to try it tomorrow... I've been at this for most of this evening. Bouncing between getting ssh tunneling vs ssl (without getting either to work lol).


I think I will just stick with ssl and try to get that working first.

Charles: The steps you outline for setting up SSL with phpmyadmin assume SSL is already setup with apache2, correct? I believe this would require following an entirely separate howto before following your steps? Right now, I'm going through the ubuntu guides and opennssl site to create my own certificates, but there appears to be a bug with apache2-ssl-certificate creator missing...

[charles]

Yes, I assumed that https was already working. Not having https up and running is a good reason to use an SSH tunnel. A tunnel gives you access now and protection now. You can play with https at your leisure. The steps are the same, except that you must not include the "$cfg['ForceSSL'] = true;" config directive. Steps 8 and 9 aren't necessary, unless you want triple authentication.

Setting up a simple proxy using dynamic ports is really easy. Look at kelvinn's post on the link I sent earlier; he tells you what to do with ssh, FF, and the like. If your client machine runs windows, then look at my post after kelvinn's for a link on how to set up the dynamic tunnels using putty.

Good luck!

[minus19]

Nope, it's a bit buggy IMO and not as secure as this:

'h**p://webyog.com/en/'

Its a windows app that logs you in through SSH and then into your mySQL DB's. It's a lot lot more user friendly and is availble in a free community edition