• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

mySQL remote user account

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    mySQL remote user account

    I am trying to backup an Azure mySQL database, I understand I need to create a user account on @remotehost called user@localhost

    However when I run the mysqldump command the user is coming back as user@publicIPaddress rather than user@localhost

    Code:
    Access denied for user 'backup'@'2.xxx.xxx.xxx' (using password: YES) when trying to connect
    I know I can create a user account user@publicIPaddress but as I do not have a static IP from my ISP so it will change periodically.

    Is there a method for getting this to work with a single user account? I have a dynamic DNS setting so user@dynamicDNSname will always resolve the same place even when the IP address changes
    Last edited by SimonMac; 23 May 2019, 13:42.
    Originally posted by Stevie Wonder Boy
    I can't see any way to do it can you please advise?

    I want my account deleted and all of my information removed, I want to invoke my right to be forgotten.

    #2
    I don't mean this in a funny way like go and google it. But the last couple of times I've contacted Azure with a question they have been really helpful. Might be worth asking them.

    Comment


      #3
      Originally posted by woohoo View Post
      I don't mean this in a funny way like go and google it. But the last couple of times I've contacted Azure with a question they have been really helpful. Might be worth asking them.
      Seems creating a user name user@% allows it from all IP's, probably not the securest method but it works
      Originally posted by Stevie Wonder Boy
      I can't see any way to do it can you please advise?

      I want my account deleted and all of my information removed, I want to invoke my right to be forgotten.

      Comment


        #4
        Originally posted by SimonMac View Post
        Seems creating a user name user@% allows it from all IP's, probably not the securest method but it works
        Bit of an anti-pattern if you want to have some resemblance of security, you're basically opening it up to the world for convenience. You probably already know this feels wrong and is wrong.

        Typically you might have a "jump box" in this situation; a server instance on the Azure network which is white-listed to communicate with the MySQL server; this box is secured however to restrict access to trusted parties and you connect via SSH through the jump box. Most database clients that work with MySQL make this pretty seamless when creating a connection configuration using a SSH tunnel type connection.

        A jump box creates a common audit log if setup that way too.

        Comment


          #5
          Originally posted by TheGreenBastard View Post
          Bit of an anti-pattern if you want to have some resemblance of security, you're basically opening it up to the world for convenience. You probably already know this feels wrong and is wrong.

          Typically you might have a "jump box" in this situation; a server instance on the Azure network which is white-listed to communicate with the MySQL server; this box is secured however to restrict access to trusted parties and you connect via SSH through the jump box. Most database clients that work with MySQL make this pretty seamless when creating a connection configuration using a SSH tunnel type connection.

          A jump box creates a common audit log if setup that way too.
          The mySQL box is on a NSG that is configured to only allow connections from my public IP, or from within the VLAN that the box and other webservers are attached to.

          Not fool proof but hopefully reduced the risk
          Originally posted by Stevie Wonder Boy
          I can't see any way to do it can you please advise?

          I want my account deleted and all of my information removed, I want to invoke my right to be forgotten.

          Comment


            #6
            Originally posted by SimonMac View Post
            Seems creating a user name user@% allows it from all IP's, probably not the securest method but it works
            As you suspect, that's pretty insecure, though I've often done it myself just to make life easier

            Originally posted by SimonMac View Post
            I know I can create a user account user@publicIPaddress but as I do not have a static IP from my ISP so it will change periodically.

            Is there a method for getting this to work with a single user account? I have a dynamic DNS setting so user@dynamicDNSname will always resolve the same place even when the IP address changes
            You should be able to create a user such as 'simonmacs-amazing-backup-automaton'@'simonmacs-dynamic-dns-name.example.com' which will work as long as your dynamic DNS thing auto-updates when your IP changes.

            Note that the username and domain bits should be in their own sets of quotes and the @ not, as explained in the docs at MySQL 8.0 Reference Manual :: 6.2.4 Specifying Account Names

            • The user name and host name need not be quoted if they are legal as unquoted identifiers. Quotes are necessary to specify a user_name string containing special characters (such as space or -), or a host_name string containing special characters or wildcard characters (such as . or %) (for example, 'test-user'@'%.com').

            • Quote user names and host names as identifiers or as strings, using either backticks (`), single quotation marks ('), or double quotation marks ("). For string-quoting and identifier-quoting guidelines, see Section 9.1.1, “String Literals”, and Section 9.2, “Schema Object Names”.

            • The user name and host name parts, if quoted, must be quoted separately. That is, write 'me'@'localhost', not 'me@localhost'; the latter is actually equivalent to 'me@localhost'@'%'.

            Comment


              #7
              Originally posted by NickFitz View Post
              As you suspect, that's pretty insecure, though I've often done it myself just to make life easier



              You should be able to create a user such as 'simonmacs-amazing-backup-automaton'@'simonmacs-dynamic-dns-name.example.com' which will work as long as your dynamic DNS thing auto-updates when your IP changes.

              Note that the username and domain bits should be in their own sets of quotes and the @ not, as explained in the docs at MySQL 8.0 Reference Manual :: 6.2.4 Specifying Account Names
              Thanks, will have a go at that, I tried to look at those pages but got lost when they started talking about reverse DNS and the like
              Originally posted by Stevie Wonder Boy
              I can't see any way to do it can you please advise?

              I want my account deleted and all of my information removed, I want to invoke my right to be forgotten.

              Comment

              Working...
              X