Friday, October 2, 2020

Tech Notes:- How to verify if your connection to MySQL is using encryption or not

 It is often a confusion whether the client connection or the replication slave is using encryption while connecting to the MySQL server. The below query can tell you whether your connection is using encryption or not

SELECT sbt.variable_value AS tls_version, t2.variable_value AS cipher, processlist_user AS user, processlist_host AS host FROM performance_schema.status_by_thread  AS sbt JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id  JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id  WHERE sbt.variable_name = 'Ssl_version' and t2.variable_name = 'Ssl_cipher' ORDER BY tls_version;

Of course, there are other options to find out. But this one will list all the connections which use or do not use encryption. This worked for me on MySQL 5.7. I have not tried this on other versions and for sure this does not work on some of the older versions of MySQL where we do not have performance_schema.

Monday, August 24, 2020

Tech Notes :- ssh failure Offending RSA key in /var/lib/sss/pubconf/known_hosts



@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:gEFs4gmKdgDsV2n3UhB/lNhZ/sLSM8q+5VIbl+D1S3c.
Please contact your system administrator.
Add correct host key in /dev/null to get rid of this message.
Offending RSA key in /var/lib/sss/pubconf/known_hosts:8
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.

This is not a normal ssh error that can be fixed by editing ~/.ssh/known_hosts and removing the relevant key entries or by using the command ssh-keygen -f ~/.ssh/known_hosts -R <host>. If you try to do it, the key will come back and ends up with the same error.

Another option that we are tempted to try is to remove the offending key from /var/lib/sss/pubconf/known_hosts. This also will end in failure

Most probably this error occurs when the server was part of  IPA setup and you just re-installed the server without removing the relevant configuration from the IPA server.In this case IPA server will still have the keys associated with the server before it got re-installed and we have to first remove the keys from the IPA server.

You can do that from the IPA Identity Management Web UI by browsing to Hosts--> <yourhostname> -->Settings. Now scroll down to the SSH Public keys section and then remove the keys and save it.

Now you should be able to login to your server using ssh as usual.




Related Posts Plugin for WordPress, Blogger...