PhpMyAdmin supports various authentication methods, some of which are:
- Config Authentication: It is the default authentication method in phpMyAdmin. It uses a username and password that are stored in the configuration file.
- HTTP Authentication: PhpMyAdmin can use the web server’s built-in authentication system. Users need to enter their credentials each time they want to access phpMyAdmin.
- Cookie Authentication: PhpMyAdmin uses a session cookie to authenticate users. The user’s credentials are stored in a cookie, so they do not need to enter their credentials each time they access phpMyAdmin.
- LDAP Authentication: PhpMyAdmin can use an LDAP server to authenticate users. The user’s credentials are checked against the LDAP server’s user database.
- Signon Authentication: PhpMyAdmin can use a single sign-on (SSO) system to authenticate users. The user’s credentials are checked against the SSO system’s user database.
- Two-Factor Authentication: PhpMyAdmin can use two-factor authentication (2FA) to increase security. Users must enter a second form of authentication, such as a code sent to their phone, in addition to their username and password.
Recommended for Multiuser
HTTP and cookie authentication modes are recommended in a multi-user environment where you want to give users access to their own database and don’t want them to play around with others.
HTTP and cookie authentication modes are more secure: the MySQL login information does not need to be set in the phpMyAdmin configuration file (except possibly for the $cfg['Servers'][$i]['controluser']). However, keep in mind that the password travels in plain text unless you are using the HTTPS protocol. In cookie mode, the password is stored, encrypted with the AES algorithm, in a temporary cookie.
With HTTP or cookie authentication mode, you don’t need to fill the user/password fields inside the $cfg['Servers'].
HTTP authentication mode
Uses HTTP Basic authentication method and allows you to log in as any valid MySQL user.
Cookie authentication mode
- Username and password are stored in cookies during the session and password is deleted when it ends.
- With this mode, the user can truly log out of phpMyAdmin and log back in with the same username (this is not possible with HTTP authentication mode).
- If you want to allow users to enter any hostname to connect (rather than only servers that are configured in
config.inc.php), see the$cfg['AllowArbitraryServer']directive.
Config authentication mode
- This mode is sometimes the less secure one because it requires you to fill the
$cfg['Servers'][$i]['user']and$cfg['Servers'][$i]['password']fields (and as a result, anyone who can read yourconfig.inc.phpcan discover your username and password). - In the ISPs, multi-user installations section, there is an entry explaining how to protect your configuration file.
- For additional security in this mode, you may wish to consider the Host authentication
$cfg['Servers'][$i]['AllowDeny']['order']and$cfg['Servers'][$i]['AllowDeny']['rules']configuration directives. - Unlike cookie and http, does not require a user to log in when first loading the phpMyAdmin site. This is by design but could allow any user to access your installation. Use of some restriction method is suggested, perhaps a .htaccess file with the HTTP-AUTH directive or disallowing incoming HTTP requests at one’s router or firewall will suffice (both of which are beyond the scope of this manual but easily searchable with Google).
Securing your phpMyAdmin installation
The phpMyAdmin team tries hard to make the application secure, however there are always ways to make your installation more secure:
- Follow our Security announcements and upgrade phpMyAdmin whenever new vulnerability is published.
- Serve phpMyAdmin on HTTPS only. Preferably, you should use HSTS as well, so that you’re protected from protocol downgrade attacks.
- Ensure your PHP setup follows recommendations for production sites, for example display_errors should be disabled.
- Remove the
testdirectory from phpMyAdmin, unless you are developing and need a test suite. - Remove the
setupdirectory from phpMyAdmin, you will probably not use it after the initial setup. - Properly choose an authentication method – Cookie authentication mode is probably the best choice for shared hosting.
- Deny access to auxiliary files in
./libraries/or./templates/subfolders in your webserver configuration. Such configuration prevents from possible path exposure and cross side scripting vulnerabilities that might happen to be found in that code. For the Apache webserver, this is often accomplished with a .htaccess file in those directories. - Deny access to temporary files, see
$cfg['TempDir'](if that is placed inside your web root, see also Web server upload/save/import directories. - It is generally a good idea to protect a public phpMyAdmin installation against access by robots as they usually can not do anything good there. You can do this using
robots.txtfile in the root of your webserver or limit access by web server configuration, see 1.42 How can I prevent robots from accessing phpMyAdmin?. - In case you don’t want all MySQL users to be able to access phpMyAdmin, you can use
$cfg['Servers'][$i]['AllowDeny']['rules']to limit them or$cfg['Servers'][$i]['AllowRoot']to deny root user access. - Enable Two-factor authentication for your account.
- Consider hiding phpMyAdmin behind an authentication proxy, so that users need to authenticate prior to providing MySQL credentials to phpMyAdmin. You can achieve this by configuring your web server to request HTTP authentication. For example in Apache this can be done with:AuthType Basic AuthName “Restricted Access” AuthUserFile /usr/share/phpmyadmin/passwd Require valid-user Once you have changed the configuration, you need to create a list of users which can authenticate. This can be done using the htpasswd utility:htpasswd -c /usr/share/phpmyadmin/passwd username
- If you are afraid of automated attacks, enabling Captcha by
$cfg['CaptchaLoginPublicKey']and$cfg['CaptchaLoginPrivateKey']might be an option. - Failed login attempts are logged to syslog (if available, see
$cfg['AuthLog']). This can allow using a tool such as fail2ban to block brute-force attempts. Note that the log file used by syslog is not the same as the Apache error or access log files. - In case you’re running phpMyAdmin together with other PHP applications, it is generally advised to use separate session storage for phpMyAdmin to avoid possible session-based attacks against it. You can use
$cfg['SessionSavePath']to achieve this.
Suggest PhpMyAdmin secured authentication methods
PhpMyAdmin is a popular web-based application used for managing MySQL databases. To secure the authentication process in PhpMyAdmin, you can implement the following methods:
- Two-Factor Authentication (2FA): Enable 2FA for PhpMyAdmin login, which requires users to provide an additional security code along with their username and password to log in. This helps to prevent unauthorized access to the PhpMyAdmin application.
- Secure Passwords: Ensure that users create strong passwords that meet complexity requirements. Implement password policies such as minimum password length, a combination of letters, numbers, and symbols, and regular password expiration.
- IP Restriction: Restrict access to the PhpMyAdmin application based on IP addresses, so only authorized users with a specific IP address can access the application.
- HTTPS Encryption: Implement HTTPS encryption for all data transmitted between the client and the server, including login credentials and sensitive data.
- Brute Force Protection: Implement brute force protection mechanisms to prevent attackers from guessing login credentials. This can include measures such as account lockouts, CAPTCHAs, or rate-limiting login attempts.
- Use Authentication Plugins: Implement authentication plugins to increase security. For example, LDAP or Active Directory authentication can be used to authenticate users, which ensures that only authorized users can access the PhpMyAdmin application.
- Regular Updates: Keep the PhpMyAdmin application updated with the latest security patches and updates to prevent security vulnerabilities.
What is the use of pma user in phpmyadmin?
The “pma” user in PhpMyAdmin is created during the installation process and is used by PhpMyAdmin to manage its own configuration and settings. This user is not intended for regular use and should not be used to access or modify your database.
The “pma” user is used by PhpMyAdmin to perform tasks such as creating and updating its own database tables, storing configuration information, and managing session data. This user is created with restricted privileges, which means it has limited access to the database and cannot perform any potentially harmful actions.
It is important to note that the “pma” user is specific to PhpMyAdmin and should not be confused with the root user or any other user account in your MySQL or MariaDB database. The root user is the superuser account that has full privileges to perform any action in the database, while other user accounts may have more limited privileges depending on the permissions granted to them by the database administrator.
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
- Apache Lucene Query Example - April 8, 2024
- Google Cloud: Step by Step Tutorials for setting up Multi-cluster Ingress (MCI) - April 7, 2024
- What is Multi-cluster Ingress (MCI) - April 7, 2024
