SSO registers with phpmyadmin as root user

mlo-poc · March 20, 2026, 10:23am

What app is this about, and its version: PHPMyAdmin
What YunoHost version are you running: 12.1.39
What type of hardware are you using: Old laptop or computer

Describe your issue

I installed YunoHost as a Playground Server for my pupils.

To experiment with datatbases I wantet to give them access to individual DBs but noticed, that the SSO mechanism grants them access to PHPMyAdmin as phpmyadmin_root@localhost regardless of which user is logged in to the YunoHost system.

This is not suitable for my purpose. I need to restrict access to their individual DB so they can play with it using PHPMyAdmin.

Share relevant logs or error messages

no logs to share

orhtej2 · March 20, 2026, 11:34am

Unfortunately, this is not how the app was packaged.

You can play around with Installation — phpMyAdmin 5.2.4-dev documentation and try to adjust the configuration accordingly I guess

mlo-poc · March 21, 2026, 6:33am

I tried to figure the best solution for my use case aided by Claude.

remote access is vital. students will write small python programs on their laptops that connect to their DBs

YunoHost phpMyAdmin uses auth_type = 'config'

Based on the source code, YunoHost’s phpMyAdmin package uses:

$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = '__DB_ADMIN_USER__';
$cfg['Servers'][$i]['password'] = '__DB_ADMIN_PWD__';

This hardcodes the MySQL user (phpmyadmin_root) in the config. SSO only controls access to the URL, not which MySQL user is used.

Solution: Change to cookie auth + map username

in /var/www/phpmyadmin/config.inc.php:

$cfg['Servers'][$i]['auth_type'] = 'cookie';
// Remove or comment out the hardcoded user/password lines

Then add a hook file /var/www/phpmyadmin/libraries/config.default.php or modify index.php to inject:

if (isset($_SERVER['REMOTE_USER'])) {
    $_POST['pma_username'] = $_SERVER['REMOTE_USER'];
}

Result: Students still protected by SSO, but must enter their MySQL password (username pre-filled).

Limitation: Still requires password entry. True passwordless SSO requires socket auth (localhost only) or password sync mechanism.

Does this sound correct?
I don’t want to start experimenting on a live system, that currently hosts ~12 services for educational purposes.

jarod5001 · March 21, 2026, 2:07pm

You mean you are planning to use a production server for students to learn and experiment? This sounds like a bad idea.

Why not create a VM using incus (already available in the yunohost catalog) for this task, so in case something goes wrong, you can just recreate the VM

mlo-poc · March 21, 2026, 6:45pm

This is a server dedicated for various educational purposes. One ist learning DB management and SQL.

system · April 5, 2026, 6:45pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.