i yet need to see the difference between SSH tunnels and all the administrative burden versus phpMyAdmin behind http-auth long before it's native login
your stuff don't scale on a setup with external users which for sure don't get ssh-tunnels or much worser vpn access and without external users the whole issue don't exist Am 17.04.19 um 19:30 schrieb Jeff Dyke: > I appreciate your points, but i don't give them out to 'every random > monkey', that would completely against the setup I've chosen. Showing > someone how to ssh-tunnel via putty is not hard, and is only once and > can be documented. The people that i give ssh access to are managed > centrally via a config mgmt system and they only have access to the > bastion host, and are not users on any other host. Also they can only > connect to mysql from that host(which really doesn't matter since they > can't get to another host). And my point really mainly is for cloud > infrastructures; if you're on a corporate network, hopefully the > sysadmin has installed a VPN which can be used and then you can VPN to > the network and connect like you're local, which you could also do in > the cloud. > > So IMHO it is much more secure, perhaps the way it's set up here and > again it's just my 2 cents. SSH Tunnels to a bastion host that is not > allowed to talk to another host will always be more secure than any > phpMyAdmin configuration. > > Again, i appreciate your point of view, but wanted to qualify some of my > answers. > > On Wed, Apr 17, 2019 at 1:18 PM Reindl Harald <h.rei...@thelounge.net > <mailto:h.rei...@thelounge.net>> wrote: > > > > Am 17.04.19 um 18:55 schrieb Jeff Dyke: > > Reindl's (funny) comments aside. Why still use phpMyAdmin in this day > > and age. Nearly every maria/percona/mysql client supports ssh > > tunneling. SequelPro on Mac, Heidi (or others) on Windows, and any > > windows client running through wine if your desktop/laptop is linux. > > Also developers can just use intellij or similar IDE's that have a > > database pane. > > > > Trusting administration to an exposed phpMyAdmin in this day and age > > frightens me greatly. Also if you had an HIDS server running to track > > bad phpMyAdmin logins i bet there would be a ton of alerts. I've > > blocked all such attempts in my IPS even though i don't have > phpMyAdmin. > > > > I realize this does not answer your question, but if this fits > into your > > architecture i'd say good by to that web interface. > > because it's nonsense to believe that you can manage to handle everybody > which probably needs to access mysql with his restricted account to > learn how to use ssh-tunnles > > and that you are plain wrong when you believe hand out ssh tunnels into > your network for every random monkey increases security > > not talking about that he is obviously a 3rd party to a customer where > you have no say in that context > > the problem is *exposing* phpMyAdmin for the whole world and asking > stupid questions like which version before the latest one instead just > update it and when you are too dumb building packages for the target OS > hire some one which is capable to do so or unpack that dmaned folder > ph hand > > > On Wed, Apr 17, 2019 at 10:54 AM Reindl Harald > <h.rei...@thelounge.net <mailto:h.rei...@thelounge.net> > > <mailto:h.rei...@thelounge.net <mailto:h.rei...@thelounge.net>>> > wrote: > > > > > > > > Am 17.04.19 um 16:50 schrieb Turritopsis Dohrnii Teo En Ming: > > > Subject/Topic: How do I determine if versions of phpMyAdmin > before > > 4.8.5 is SQL Injectable using sqlmap? > > > > frankly are you drunken? > > > > you posted this exactly same message to > > > > * phpmyadmin list TWICE > > * oracle mysql list > > * now mariadb list > > > > i seriously looked if my mailserver has a problem - stop it > damned! _______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
