Password Avoidance and more

I usually have to do many tasks that require to input a password, for instance, connecting by SSH, connecting to a mysql server, or login to several websites in several environments. This is something that has been bothering me for a long time, so I’ve eventually decided to write this post about password avoidance, to show how I usually deal with it.

SSH

Regarding the SSH access, there is a well-known solution that many people use. You can create a public/private key pair to authenticate, instead of typing the password. There are many manuals explaining how to do that, so summarizing, you have to follow this steps:

Generate the pair of keys on your computer :

ssh-keygen -t rsa

Then, you should have your keys on ~/.ssh/id_rsa (private) and ~/.ssh/id_rsa.pub (public).

Copy the public key to the server(s) (entering your password for last time!) and append it to the authorized_keys file:

scp ~/.ssh/id_rsa.pub your_user@your_server:~
ssh your_user@your_server
cat id_rsa.pub >> ~/.ssh/authorized_keys

Update 04/06/2013: Thanks to Christopher for this tip. You can get rid of all the previous commands, and just type the following:

ssh-copy-id -i .ssh/id_rsa.pub your_user@your_server

That’s it, now you should be able to log in to that server without entering a password.

MYSQL

If you usually have to deal with mysql databases, you’d probably find useful this section. You can easily customize your mysql prompt, just by creating/editing the file ~/.my.cnf. This is how mine looks:

[mysql]
user = root
password = my_password
prompt=\u@\h:[\d]>\_

I have set the default user and password, so I don’t have to enter the password when connecting to my localhost (or any host with this credentials). Note that this credentials will be used not only for the mysql command, but also for the mysqldump and mysqlimport.
On the other hand, I’ve added the last line, which I think is quite useful when you are using mysql client. Basically, it will display the prompt in the following format: user@host:[database]. This way, you will always know where are you connected, which user have you used and what database is being used.

Website Credentials

Speaking about website credentials, I’m currently using a browser extension called LastPass. It allows you to create a database of users and passwords URL-related, allowing ou to auto-fulfill and even auto-submit the login form when you load a known URL. On my experience, it’s very useful, as you can use it in both Chrome and Firefox, and you can share some/all credentials with several people (ie. all the development team).

However, it has some drawbacks/possible improvements from my point of view. First of all, there might be more than one user/password for the same URL (ie. admin and user role), and I’ve been unable to specify the priority of the credentials. Sometimes, the stored credentials aren’t valid anymore, and although there is a credential’s suggestion list on the form page, in my case, the list is useless most of times. It would be very nice if the suggestion list showed the credentials of the same domain in first place.

For instance, imagine I have three environments for my site: dev.mysite.com, preprod.mysite.com and www.mysite.com. Then you can assume that if this three sites are related, and the credentials might be exchanged from time to time.

I guess this extension wasn’t designed for developers, but for all kind of users, but that features would be very useful in my opinion.

Finally, this extension has some other cool features as well, like automatically filling registration forms. This feature has been added to Google Chrome lately, so now it’s not as valuable as before, but it’s worth to mention, as it can save you many time of filling the same registration form over and over.

Unix/Linux 

I wanted to talk as well about the passwords in Linux. Each time you have to edit/create a system file, for instance, add a new host to the /etc/hosts file, add a new virtual host on /etc/nginx/sites-available, set writting permissions to a certain folder, and so on, you have to use a sudo command, and therefore, type your password. I can’t tell how much time I’ve lost typing my password over and over. To avoid this there are many possible solutions.

You could just change the permisions/ownership of the file/folder that is bothering you, with sudo chmod 777 FILE / chown username:yourgroup FILE. This is fast and works fine, however, many people would complain because it’s very unsecure, as this files has restricted permissions for security reasons. In any case, if you are the only person who has access to the computer, you can do it, under your own responsability, and you shouldn’t have any problems.

If you wan’t to do it on a more elegant way, you might achieve the same result by customizing your sudoers file. All you have to do is safely open the file /etc/sudoers with your favourite editor by typing: “visudo /etc/sudoers” and append a new line at the bottom. Remember to put the new content under the line/s:

%sudo ALL=(ALL:ALL) ALL
%admin ALL=(ALL:ALL) ALL

Because this rules would override any line written before.

Imagine you want to be able to restart the nginx server, edit the /etc/hosts, poweroff the computer, and execute the chmod command without being ask for the password. You might do it by adding this line:

awesomeuser ALL=NOPASSWD: /etc/init.d/nginx, /usr/bin/gedit /etc/hosts, /sbin/poweroff, /bin/chmod

Note that the changes will not take effect until you open a new terminal.

This way you would avoid entering your password for all these tasks. However, use it under your responsability, and take into account that a misconfiguration might put your computer in risk. For instance, if you put /usr/bin/vi /etc/hosts, take into account that you can execute shell commands from vim, so anybody might type sudo vi /etc/hosts and execute sudo commands from the editor.

Remember that sometimes is better (safer) having to type the password before executing a command, it’s just up to you.