Create an expect script:
/path/to/sshmysql.exp

#!/usr/bin/expect -f
#script by darren cassar
#mysqlpreacher.com

set machine [lindex $argv 0]

set timeout -1

spawn ssh username@$machine
match_max 100000
expect -exact “assword: ”
send — “password\r”
send — “sudo -k; sudo su – mysql\r”
expect -exact “sudo -k; sudo su – mysql”
expect -exact “assword:”
send — “password\r”
interact

# you should change the word password in ’send — “password\r”‘ to your login password
# if you have the same password for each environment you could also script logging into mysql directly from the same expect script BUT that is not recommended.

Create a bash script:
/path/to/login.sh

#!/bin/bash
#script by darren cassar
#mysqlpreacher.com

sm=’/path/to/sshmysql.exp’

menu() {
echo ” 101 – dev.databaseserver1 ”
echo ” 102 – dev.databaseserver2 ”
echo ” 103 – dev.databaseserver3 ”
echo ” 201 – qa.databaseserver1 ”
echo ” 301 – uat.databaseserver1 ”
echo ” 302 – uat.databaseserver2 ”
echo ” 401 – prod.databaseserver1 ”
echo ” ”
}

ARGUMENT=notmenu

if [ -z "$1" ]
then
ARGUMENT=menu
else
choice=$1
fi

if [ $ARGUMENT = "menu" ]
then
menu
else
case “$choice” in
101|dev.databaseserver1 ) $sm dev.databaseserver1;;
102|dev.databaseserver2 ) $sm dev.databaseserver2;;
103|dev.databaseserver3 ) $sm dev.databaseserver3;;
201|qa.databaseserver1 ) $sm qa.databaseserver1;;
301|uat.databaseserver1 ) $sm uat.databaseserver1;;
302|uat.databaseserver2 ) $sm uat.databaseserver2;;
401|prod.databaseserver1 ) $sm prod.databaseserver1;;
* ) echo “Wrong value passed to script”
menu ;;
esac
fi

alias l=’/path/to/login.sh’

Output:

[darrencassar@mymachine ~ ]$ l
101 – dev.databaseserver1
102 – dev.databaseserver2
103 – dev.databaseserver3
201 – qa.databaseserver1
301 – uat.databaseserver1
302 – uat.databaseserver2
401 – prod.databaseserver1

Output:
The below command would log you into the first development database server as mysql user.

[darrencassar@mymachine ~ ]$ l 101

On each machine place aliases for each instance in the .profile

alias use3306=’mysql -u root -p -h 127.0.0.1 -P 3306 –prompt=”mysql \D> “‘

The above setup can be used using any client/server OS: Linux, Solaris, MAC OS or Windows(running Cygwin)

NOTE: If you store the password in clear text inside the expect script, you should at least save the scripts inside an encrypted partition on your machine and make sure that folder is not shared or accessible by anyone. Another way of doing it would be to use either SSHKeys OR save the password inside a file and encrypt it using OpenSSL

Enjoy!

In essence:
1. Select Finder, click on Go from the menu bar and select Go to Folder
2. From the dialog box that opens, type:
/System/Library/CoreServices/
and press Return
3. Locate Finder application, right click on it, and select Show Package Contents
4. Navigate to Contents>Resources>English.lproj and open InfoPlist.strings in a text editor
5. Navigate to the line which says
“Folder” = “Folder”;
at around line 7 of the file, and simply add an empty space or a symbol (such as “.” or “~”) in front of the second “Folder”.
6. Save the text file, type in the Administrator password when asked, and close the text file.
7. The final step would be to restart finder, which you can achieve by holding in the ALT or OPTION key and right clicking on the Finder icon in Dock, then selecting Relaunch.

Full detailed tutorial can be found here: thanks to “Budding”

It seems this user can’t connect to the mysql gets access denied:
Access denied for user ‘user’@'machine_bbbbb’ (using password: YES)

Note that the machine the user is being seen from is totally different from the one I set up in the grant!! WHY?

run a reverse lookup on the ip of machine_aaaaa, turns out it shows machine_bbbbb. So I figure a big bad guy messed up /etc/hosts, I was right! `cat /etc/hosts` just to find an entry for machine_aaaaa blehh

Ok, solution is to remove the entry from /etc/hosts (after finding out it wasn’t even necessary and wasn’t even supposed to be there in the first place), restart nscd.

Retry
AGAIN – Access denied for user ‘user’@'machine_bbbbb’ (using password: YES)

What the ….

What’s wrong now? — yeah silly me forgot to `flush hosts` :)

Retry
YOHOO I’m in!

I’ve seen quite a few blogs about disabling name resolve in mysql with skip-name-resolve and granting privileges using IPs – something which would also have avoided the above (but still not found the root of the problem):

http://jeremy.zawodny.com/blog/archives/011421.html
http://www.mysqlperformanceblog.com/2008/05/31/dns-achilles-heel-mysql-installation/

Irony (from the Ancient Greek εἰρωνεία eirōneía, meaning hypocrisy, deception, or feigned ignorance) is a situation, literary technique or rhetorical device, in which there is an incongruity, discordance or unintended connection that goes beyond the most evident meaning. It is the expression of one’s meaning by using language that normally signifies the opposite.

Types of irony
Modern theories of rhetoric distinguish among verbal, dramatic and situational irony.
▪ Verbal irony is a disparity of expression and intention: when a speaker says one thing but means another, or when a literal meaning is contrary to its intended effect. An example of this is sarcasm.
▪ Dramatic irony is a disparity of expression and awareness: when words and actions possess a significance that the listener or audience understands, but the speaker or character does not.
▪ Situational irony is the disparity of intention and result: when the result of an action is contrary to the desired or expected effect. Likewise, cosmic irony is disparity between human desires and the harsh realities of the outside world (or the whims of the gods). By some definitions, situational irony and cosmic irony are not irony at all.


mysql> explain SELECT COUNT(ac.UID) FROM ACTIVE ac JOIN ALL a;
+----+-------------+-------+------+---------------+------+---------+------+---------+-------+
| id | select_type | table | type | possible_keys | key | key_len | ref | rows | Extra |
+----+-------------+-------+------+---------------+------+---------+------+---------+-------+
| 1 | SIMPLE | ac | ALL | NULL | NULL | NULL | NULL | 124426 | |
| 1 | SIMPLE | a | ALL | NULL | NULL | NULL | NULL | 7594256 | |
+----+-------------+-------+------+---------------+------+---------+------+---------+-------+
2 rows in set (0.01 sec)

mysql> SELECT COUNT(ac.UID) FROM ACTIVE ac JOIN ALL a ON ac.UID=a.UID;
+---------------+
| COUNT(ac.UID) |
+---------------+
| 17466 |
+---------------+
1 row in set (0.23 sec)

mysql> set @tot = (SELECT COUNT(ac.UID) FROM ACTIVE ac JOIN ALL a ON ac.UID=a.UID);

^CQuery aborted by Ctrl+C


Took more than 60seconds —- what the …..
Why did it take a long?


mysql> set @a=2;
Query OK, 0 rows affected (0.00 sec)

mysql> select @a;
+------+
| @a |
+------+
| 2 |
+------+
1 row in set (0.00 sec)

mysql> set @tot = (SELECT COUNT(*) FROM ACTIVE);
Query OK, 0 rows affected (0.13 sec)

mysql> select @tot;
+--------+
| @tot |
+--------+
| 124426 |
+--------+
1 row in set (0.00 sec)

mysql> set @tot = (SELECT COUNT(ac.UID) FROM ACTIVE ac);
Query OK, 0 rows affected (0.22 sec)

mysql> select @tot;
+--------+
| @tot |
+--------+
| 124426 |
+--------+
1 row in set (0.00 sec)

mysql> SELECT COUNT(ac.UID) FROM ACTIVE ac, ALL a;
+---------------+
| COUNT(ac.UID) |
+---------------+
| 944922897056 |
+---------------+
1 row in set (0.05 sec)

mysql> set @tot=(SELECT COUNT(ac.UID) FROM ACTIVE ac JOIN ALL a);
^CQuery aborted by Ctrl+C
ERROR 1317 (70100): Query execution was interrupted


Reason? …. the query is using the MySQL optimiser rather than the IB one! Why? good question (will have to ask IB devs though).

Work around, use ac temporary table to store the result and setting the variable to the result field, but it’s really ugly isn’t it?

* Added reconciliation from mysql to securich during installation

The above feature enables the installation of securich on instances already in operation without loosing any of the current user base and associated privileges (unlike previous versions which were mostly usable on new instances without user base).

* Added mysql version check for connection kill using processlist view in information_schema available as from 5.1.7

* Added auditing of users changing password via MySQLs own `set_password`
* Added auditing of role creation and updates
* Added auditing of grants / revokes

With auditing, the dba will be able to look at when a particular permission was granted, and by whom, which roles were updated and what kind of update, privilege added/removed as well as auditing of users trying to change passwords through MySQL rather than through Securich which would otherwise possibly make password complexity and aging futile.

Also some naming changes have been made in order to achieve more “MySQL’ly’ like commands:

* Stored proc check_roles was renamed to show_roles
* Stored proc check_role_privileges was renamed to show_privileges_in_roles
* Stored proc check_user_privileges was renamed to show_user_privileges
* Stored proc check_privilege_users was renamed to show_users_with_privilege
* Stored proc check_user_list was renamed to show_user_list
* Stored proc check_user_entries was renamed to show_user_entries
* Stored proc check_full_user_entries was renamed to show_full_user_entrie

Anyone interested in enhancing the functionality of securich can also use the new test scripts implemented in order to make sure nothing was broken by code change.

Bug reports / feature requests can be done through google code at http://code.google.com/p/securich.

will all manage to get into mysql given the way mysql authenticates users is against your username and client host from where you are connecting.

This verification is done versus the following columns in the mysql.user table, i.e., User,Host and Password columns.
An entry in the mysql.user table with the following values User=”, Host=’%’ will accept ANY user connecting from ANYWHERE in the world, thus disabling ANY security. Hence the reason for this blog post highlighting the importance of dropping such accounts, at least in all environments apart from dev.

Further information at:

http://dev.mysql.com/doc/refman/5.1/en/connection-access.html

Feel free to send me links you think might be good to add in order to help others.

Remember, SHARING IS CARING!!! …. we get so much for free, why shouldn’t we give some back?

Cheers,
Darren