I am writing a command line app in Go that allows automating the configuration of networking devices over SSH. Unfortunately, most of these devices are configured for password authentication rather than key authentication. Is there a way to temporarily and securely store the user's password for only the current terminal session? Similar to how setting an environment variable with export ENV_VAR=<value> only stores the environment variable for the current session. For example, a user opens the terminal, runs my CLI, and is prompted for their password. For subsequent calls to my program, I'd like to not prompt the user for their password again. If the user closes their terminal then comes back later, however, I would want the password prompt to reappear when my CLI is called. If possible, I would like to do this without using a database since the number of users of my CLI will be very small.
Related
Since I am very used to being prompted for my user-id while using putty or MobaXterm in SSH sessions I expected to have the same behaviour when using SSH in the windows terminal but that is not the case.
If I try it without specifying a user via
ssh <servername>
the command line will just use my windows user which I don't want to, since all of my hosts have too many technical users and entering them on the fly is way simpler for me than creating 3-4 a configs/profiles for each host.
I already tried creating a config file "C:\Users<my-user>.ssh\config" and played around with overwriting the "User" config via making a blank entry like
Host *
User
which obviously didn't work.
Do you think I need to write some sort of wrapper in order to get a proper "login as:" prompt or am I just missing some simple configuration that needs to be adapted?
Luckily I found a solution for this.
When creating a new profile I added the following line as a command:
%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe /c "$login_user = Read-Host -Prompt 'login as'; ssh $login_user#<hostname>"
Replace the "<hostname>" above with whatever server you want to access.
I have a PHP application, with Usernames and Public SSH Keys in it. I would like to use these accounts as the user back end of openssh.
I think I need to use pam_exec and a PHP/Bash script. I've written a php script that I can execute at CLI (The shebang sets an env of php executable). If I need to wrap this in a bash script instead to access environment variables I can do that. The script currently takes a username as its first and only parameter like so:
/opt/scripts/my-auth-script.php user_to_look_for
The script will exit zero on success (the user exists) or exit 1 if not. It currently echoes OK or Failed also but I can easily turn that off.
So, my question is, how do I have pam_exec call my script to look for user accounts, before looking on the actual host system for user accounts?
I've got it working. The way to do this is to set the AuthorizedKeysCommand and AuthorisedKeyUser settings of openssh in sshd_config. There is a caveat, the reason that github and others provide ssh as a service through a single login user shared among customers is that the user being called must be resolvable by the system being logged into, so they muxt exist locally, or the user db must be connected to a remote source like LDAP, which would also then have to be integrated into the application.
The way to get around this though, is that the AuthorizedKeyCommand can take parameters, %u for username, and also in this case %k for key or %f for sha256 fingerprint of the key. Then, that script can ignore the generic username it was given, and then just check the database for a match for the key or fingerprint. If we find it, we have the user for that key and successful authentication. If not we dont.
I just noticed I cannot login in my Jenkins.
How can I reset my password and access to my account again? I do not see any link to recover passwords and they seem to be hashed in the installation directory.
In How to reset password of Jenkins you have a set of tricks to make this happen. I based my solution on it, but it diverges in a certain point.
This is what I did to solve the issue:
Let's assume Jenkins' directory is stored in $JENKINS (in my machine this is /var/lib/jenkins/) and your username is user.
Allow signups by disabling disableSignup. This means editing $JENKINS/config.xml and setting this option to false:
<disableSignup>false</disableSignup>
Restart Jenkins (service jenkins restart).
Enter in Jenkins and register a new user, for example testuser, with the password being the one you want to set to your user user.
Extract the hashed password from $JENKINS/users/testuser/config.xml. You will see something like:
<passwordHash>#jbcrypt:$2a$10$PY7p4dxFiGSgJpxiNVTQDuJKAQ8pr9snDgQXaafogjErvgB0oC3qy</passwordHash>
Set the user's password to this one in <passwordHash>. That is, edit $JENKINS/users/user/config.xml and replace the password there to set the one above.
Disallow signups back by enabling disableSignup. That is, in $JENKINS/config.xml set the disableSignup option back to true:
<disableSignup>true</disableSignup>
Restart Jenkins again.
Note you can also replace the password directly by generating a jBCrypt. For example, in http://www.mindrot.org/projects/jBCrypt/ you can find some Java code for it.
A different approach for Windows that solved this issue for me:
In
C:\Windows\System32\config\systemprofile\AppData\Local\Jenkins\.jenkins\config.xml, change useSecurity to false.
The restart Jenkins, you will now get full access without login. Go to People, select the old admin user and delete the user.
Then set
<disableSignup>false</disableSignup>
and
<useSecurity>true</useSecurity>
Restart Jenkins again, and you will now be able to register again.
Finally
<disableSignup>true</disableSignup>
With mongoose.connect('mongodb://username:password#host:port/database?options...');, which I use in a script, I don't suppose there is any real way to hide the password?
Should I even be concerned if the Mongodb is only listening on 127.0.0.1? If my server can get exploited then the can just cat that script to get the password.
You can put the password in a environment variable when launching node, or read it from a file not checked into source control. If mongodb is only listening on localhost, an attacker would not be able to connect directly to the database from a remote machine. It would still be advisable to configure your firewall to block remote access, just in case some configuration change opens mongodb up publicly.
Here may be one related topic Store db password as plain text in node.js
Solution 1:
Use an environment variable.
Run your app with MONGO_PASSWORD=yourpasswd node app
Then you can access it inside the app with process.env.MONGO_PASSWORD
Solution 2:
Make a module (I call it "secrets") that exports all of your secret credentials. Don't check it into source control. Then, your app can just require('secrets').
Solution 3:
Trousseau is an encrypted key-value store designed to be a simple, safe and trustworthy place for your data.
All the answers above are good suggestions, but they still leave the password visible on the host in a easy to figure out location...rather in shell env variable or a file.
What I decided to do is upon every server boot up, make a job that creates a file for the mongoose script to be read that has the password. Then, have a cron job that deletes the file after 5 minutes after boot up. That password still exists on the system, but it would be much harder to trace where.
You will create a .env file on your node file.Then you put your User name and Password just like this DB_USER=Your Username and DB_PASS=Your password.
Then you will insert it to your index.js file by enter image description here
Every time I try to get access to the webinterface via http://domain.com/admin/liste a Login Console prompts up, it requires a Username and a Password. What is that Username (and PW)?
I don't know why you will see a username field. It should only ask you for a list password. The list password can be changed in Linux terminal using change_pw command, and site-wide password can be set using mmsitepass command.
List of mailman terminal commands:
http://www.gnu.org/software/mailman/site.html
Maybe you can tell us what system you are using.