Home / ubuntu / Questions / 1526738
Accepted
sanjihan
Asked: 2024-09-14 06:00:26 +0800 CST

security concerns of executing mariadb-dump with password over ssh

  • 772

I need to make backups of the remote machine mariadb database. My plan is to run

ssh user@remoteip 'mariadb-dump -uuser -ppass --all-databases > backup.sql'

from my local machine.

I found that remote machines history is not being populated with the mariadb-dump command I just executed. journalctl also did not contain the command.

Is there any security reason on the remote side I should be worried about when passing mariadb password in the ssh command? Are there better alternatives?

ssh

2 Answers

  1. Best Answer

    Yes this is very unsecure.
    While running, any user on the system can see the plaintext password with ps aux.

    You should rather add a file ~/.my.cnf for the user with permissions 600 and following content:

    [mariadb-dump]
user=myuser
password=mySecretPassword
    • 8

  2. Since the MariaDB and system users seem to match, you could also allow the system user user to authenticate as the MariaDB user user through unix_socket:

    ALTER USER 'user'@'localhost'
    IDENTIFIED VIA mysql_native_password USING PASSWORD('pass')
    OR unix_socket
;

    This will grant passwordless login as the MariaDB user named user to the system user named user (which may be convenient in general), leaving to other system users the option to authenticate as the MariaDB user named user using the password pass (you may run just ALTER USER 'user'@'localhost' IDENTIFIED VIA unix_socket; if the latter is undesirable).

    Then you could run just:

    ssh user@remoteip 'mariadb-dump --all-databases > backup.sql'
    • 4