1

I've been trying to automate as much of our infrastructure as possible, by moving our server set up and configuration to chef solo.

Using the OpsCode MySQL cookbook, I am able to install MySQL and set the root password like so:

node['mysql']['server_root_password'] = 'my root password'

(or the JSON equivalent)

This works fine, but ideally we'd like to not store the password in plain text as it will be going on GitHub (private repository of course, but you never know).

Is there a way I can supply a hash of the password instead (similar to a user definition in chef),

Daniel Upton
  • 5,561
  • 8
  • 41
  • 64
  • 1
    Use encrypted data bags. And if you wish, you can store them in SCM like that http://stackoverflow.com/q/13849741/170230 – Draco Ater Mar 09 '13 at 15:34
  • Did you find a solution to this problem? It's okay to answer your own question. Please don't forget to mark an answer as correct! :) – sethvargo Jan 02 '14 at 23:09

1 Answers1

1

Copy the hashed password value you want and use it in place of your plain-text password.

Do 

 SELECT Password
   FROM mysql.user
  WHERE User='root'
    AND Host='localhost'

to get the hashed value from an existing MySQL instance.

O. Jones
  • 103,626
  • 17
  • 118
  • 172
  • Awesome, thanks... Will that work with the chef recipe? (it uses `mysqladmin -u root password "password"` can I just swap the password for the hash? – Daniel Upton Mar 07 '13 at 23:33
  • 1
    If that works, I don't need to steal your password to get access, I can use the hash. But that's obviously a big security hole. – Draco Ater Mar 09 '13 at 15:37
  • Not true, Draco. The authentication system takes the password provided by the user, hashes it, and compares it to the stored, hashed, password. To get the password you have to be able to reverse the hash algorithm, which isn't easy. But, of course, you can crack this system by putting in a different hash, to a password you know, if you can get write access to the script. – O. Jones Mar 10 '13 at 19:10
  • 1
    @OllieJones Nope, that just uses the hash as the password! – Daniel Upton Mar 13 '13 at 11:00