My .passwd file contains 2 usernames and 2 passwords.
userNameX:$apr1$F3EFwwfP$W4gD4e/W98FerHQWDErfX0
userNameY:$apr1$Nq21ft8f$CRW4OdeRDVLsLnFwFaXyE0
They have been automatically generated by the old server just providing username and clear password.
Now I have just moved to the AWS Elastic Beanstalk, these two usernames/passwords work very well, but I would like to create more users and passwords. How should I do?
If you want to use htpasswd, look at htpasswd - Options.
There, you have the warning about password on the command line
-b
Use batch mode; i.e., get the password from the command line rather than prompting for it. This option should be used with extreme care, since the password is clearly visible on the command line. For script use see the -i option. Available in 2.4.4 and later.
And the recommended option -i:
-i
Read the password from stdin without verification (for script usage).
This way, you can pass the password through standard input through a pipe (e.g. popen).
You can also look at some authentication module, depending on the language and web framework you use.
Related
I frequently have to connect to vpn for work. So rather than typing the whole cmd, i want to type something like vpn in terminal and it picks up the password from somewhere and the vpn gets connected.
The process I do now is..
sudo openvpn --config <configfile.ovpn>
I'll be prompted to type the password and when i do that it gets connected.
For the same I explored alias but I suppose alias is for much simpler task. Any solutions, how to pass password automatically when terminal ask for it?
You can create an alias and use it .
In your .bashrc, you can create an alias
alias vpn=« Your command »
Then you will just type the command vpn.
Here a link that can help you
When the password is asked interactively the best options is add the --askpass argument and send the password through a file.
openvpn --config <configfile.ovpn> --askpass <file with cred>
You can also add automatically the password using expect or similar, but the best option is using the own openvpn.
--askpass [file]
Get certificate password from console or file before we daemonize.
For the extremely security conscious, it is possible to protect your private key with a password. Of course this means that every time the OpenVPN daemon is started you must be there to
type the password. The --askpass option allows you to start OpenVPN from the command line. It will query you for a password before it daemonizes. To protect a private key with a password
you should omit the -nodes option when you use the openssl command line tool to manage certificates and private keys.
If file is specified, read the password from the first line of file. Keep in mind that storing your password in a file to a certain extent invalidates the extra security provided by using
an encrypted key.
You can put the password into a file and point your OpenVPN client configuration to it.
It is obviously a bad idea for security to store passwords in plain text on your hard drive!
If you still want to do it, put your user name and password in a plain text file on two lines, like so:
username
password
Add a line
auth-user-pass passwordfile
to your OpenVPN client configuration where passwordfile is the name of the file.
Note this only works in OpenVPN 2 and is no longer supported in version 3. See this blog post about it: https://openvpn.net/blog/openvpn-3-linux-and-auth-user-pass/
I'm trying to use Vim as a substitute for DreamWeavers nice FTP-client sidebar. But I would like for Vim to 'remember' my logins, - so I don't need to get the FTP-address, the username and the password, every time I need to connect to a remote server, to make some changes.
I've made it as far as to figure out, that one can setup a .netrc-file, where you can save login-credentials (and possibly encrypt it using GPG, which I will look into, after I've goten this to work). I can find endless manuals and tutorials about how to setup the .netrc-file, - but no information on how to actually use this .netrc-file.
So if my .netrc-file looks like this:
machine <hostname1>
login <login1>
password <password1>
machine <hostname2>
login <login2>
password <password2>
Then how to I for instance connect to <hostname2>? Do I write vim <hostname2> - and if so, then what if I have several different remote servers on the same host (where the user and password-credentials vary)?
Ideally, I would like to just be able to write something along the lines of
vim ftp://MY_OWN_NICKNAME_FOR_A_REMOTE_SERVER
Whereafter Vim will find the credentials in the .netrc-file and connect me to the given server. How do I do this?
The .netrc file supplies vim with usernames and passwords of remote servers. On the command line, when vim is supplied with a hostname that matches a machine name defined in .netrc, it plugs in the username and password into the url. For example, if I wanted to connect to ftp.server1.com and automatically login I would need to do set up the following in my .netrc file:
$ < .netrc
machine ftp.server1.com login username password "secretpassword"
$ vim ftp://ftp.server1.com/
If I wanted multiple hostnames setup in my .netrc, I would just add a new entry:
$ < .netrc
machine ftp.server1.com login username password "secret password"
machine ftp.server2.com login username password "secretpassword1"
machine ftp.server3.com login different_username password "secretpassword2"
What may be confusing is that you can not alias the hostname. When I first starting using this feature, I thought machine was a variable I could supply -- but this is not the case. That said, a shell aliases will fill-in for vim's lack:
$alias server1=ftp://ftp.server1.com/
$vim $server1
Note: you need that trailing / on the urls to tell vim you're browsing. Also note there are further complications when using a windows os as detailed in :help netrw.
I have a script that adds users to a linux system. I was intending to have a step that sets the root pw to a default but how can I do this without having that pw in cleartext in the script?
Take a look at usermod's option "-p" in the manpage:
-p, --password PASSWORD
The encrypted password, as returned by crypt(3).
Note: This option is not recommended because the password (or encrypted
password) will be visible by users listing the processes.
The password will be written in the local /etc/passwd or /etc/shadow file.
This might differ from the password database configured in your PAM
configuration. You should make sure the password respects the system's
password policy.
One way might be to have your script write the new user info to a file. Then, have another script (executed by root) which actually adds the new users using the useradd command. Perhaps the second script can be a cron job that runs every couple of minutes. It wouldn't be in real time, but I would feel better about the security of doing it this way, rather than having a root password in a public-facing script.
In a shell script file I am using some commands like scp and make install which ask for my password.
I run a shell script to compile a big project, and after some time it asks for my password for using scp. I need to wait for that process and give the password after that.
I just want to do it all by shell script without interaction, so how can I avoid being prompted for the password here?
Short answer: DON'T
Use public key authentication for SCP and sudo with NOPASSWD directive for make install
If you can't use ssh trust and must enter the password later on in your script, use read -s -p "Password:" USER_PASSWORD to silently read in the password. You can then export USER_PASSWORD to an expect script, avoiding it being displayed in ps:
#!/usr/bin/expect -f
spawn scp some.file USER#otherhost:~
expect "assword:"
send -- "$env(USER_PASSWORD)\r"
expect eof
I think it's a better idea to generate an authentication key, and use this key based authentication instead of writing plain text passwords into your scripts.
No, you won't find any method to use SSH config files or a command line option to have a password hard coded and I'm sure this is by design.
If you environment makes this difficult, perhaps it would be helpful to know that the script can specify an identity file using the -i argument so you don't have to have a whole home directory setup or anything like that. There are other options that help use the key authentication that ssh really encourages over password authentication.
If you are using this across several users who you don't want to be bothered to create keys and copy them to the server, you could script that also. It wouldn't be hard to check for an existing key and do a quick test to see if you can make a connection with it. If you can't without a password, then you'd ssh-copy-id to the server asking for the ssh password that one time and at the beginning of the script so very little lag would occur between starting and running the script and it would be only once. You could even setup a separate key for each user for just the script in their own ~/.script/key/ directory so that you would discourage users access to the SSH server.
If you want to really restrict what can be done on the remote server by that user, you could use rssh as the shell on the remote account which will limit the user access to transferring files.
A good way we did this in the past to provide passwords to needed scripts when using key based authentication was impossible or needed to use passwords for apps, services, mysql, whatever...we stored passwords in an encrypted file and then decrypted this file at runtime to provide the password to the scripts.
The password decryption script, let's call it, yourcreds.rb, was restricted to root use only of course and the unencrypted passwords wern't stored anywhere. So for example you could run:
root#host:~# yourcreds.rb | grep mysql | awk {'print $3'}
Which without awk would for example output the stored line:
service | user | password | description | etc...
mysql mysqluser password ....
With yourcreds.rb (or whatever) you can output just the password and easily incorporate this method into scripts / cron jobs in larger or more complex environments.
Also if I remember correctly we didn't have to use grep / awk or anything. We just programmed in opts parse stuff like: yourcreds.rb list mysql or yourcreds.rb -l, etc.
We used blowfish and yamls to store the encrypted passwords. I'm sure you can be creative. Just make sure it's bullet proof to anyone but root.
Typically in a large network a computer needs to operate behind an authenticated proxy - any connections to the outside world require a username/password which is often the password a user uses to log into email, workstation etc.
This means having to put the network password in the apt.conf file as well as typically the http_proxy, ftp_proxy and https_proxy environment variables defined in ~/.profile
I realise that with apt.conf that you could set chmod 600 (which it isn't by default on Ubuntu/Debian!) but on our system there are people who need root priveleges .
I also realise that it is technically impossible to secure a password from someone who has root access, however I was wondering if there was a way of obscuring the password to prevent accidental discovery. Windows operates with users as admins yet somehow stores network passwords (probably stored deep in the registry obscured in some way) so that in typical use you won't stumble across it in plain text
I only ask since the other day, I entirely by accident discovered somebody elses password in this way when comparing configuration files across systems.
#monjardin - Public key authentication is not an alternative on this network I'm afraid. Plus I doubt it is supported amongst the majority of commandline tools.
#Neall - I don't mind the other users having web access, they can use my credentials to access the web, I just don't want them to happen across my password in plain text.
With the following approach you never have to save your proxy password in plain text. You just have to type in a password interactively as soon as you need http/https/ftp access:
Use openssl to encrypt your plain text proxy password into a file, with e.g. AES256 encryption:
openssl enc -aes-256-cbc -in pw.txt -out pw.bin
Use a (different) password for protecting the encoded file
Remove plain text pw.txt
Create an alias in e.g. ~/.alias to set your http_proxy/https_proxy/ftp_proxy environment variables (set appropriate values for $USER/proxy/$PORT)
alias myproxy='PW=`openssl aes-256-cbc -d -in pw.bin`; PROXY="http://$USER:$PW#proxy:$PORT"; export http_proxy=$PROXY; export https_proxy=$PROXY; export ftp_proxy=$PROXY'
you should source this file into your normal shell environment (on some systems this is done automatically)
type 'myproxy' and enter your openssl password you used for encrypting the file
done.
Note: the password is available (and readable) inside the users environment for the duration of the shell session. If you want to clean it from the environment after usage you can use another alias:
alias clearproxy='export http_proxy=; export https_proxy=; export
ftp_proxy='
I did a modified solution:
edit /etc/bash.bashrc and add following lines:
alias myproxy='read -p "Username: " USER;read -s -p "Password: " PW
PROXY="$USER:$PW#proxy.com:80";
export http_proxy=http://$PROXY;export Proxy=$http_proxy;export https_proxy=https://$PROXY;export ftp_proxy=ftp://$PROXY'
From next logon enter myproxy and input your user/password combination! Now work with sudo -E
-E, --preserve-env
Indicates to the security policy that the user wishes to reserve their
existing environment variables.
e.g. sudo -E apt-get update
Remark: proxy settings only valid during shell session
There are lots of ways to obscure a password: you could store the credentials in rot13 format, or BASE64, or use the same password-scrambling algorithm that CVS uses. The real trick though is making your applications aware of the scrambling algorithm.
For the environment variables in ~/.profile you could store them encoded and then decode them before setting the variables, e.g.:
encodedcreds="sbbone:cnffjbeq"
creds=`echo "$encodedcreds" | tr n-za-mN-ZA-M a-zA-Z`
That will set creds to foobar:password, which you can then embed in http_proxy etc.
I assume you know this, but it bears repeating: this doesn't add any security. It just protects against inadvertently seeing another user's password.
Prefer applications that integrate with Gnome Keyring. Another possibility is to use an SSH tunnel to an external machine and run apps through that. Take a look at the -D option for creating a local SOCKS proxy interface, rather than single-serving -L forwards.
Unless the specific tools you are using allow an obfuscated format, or you can create some sort of workflow to go from obfuscated to plain on demand, you are probably out of luck.
One thing I've seen in cases like this is creating per-server, per-user, or per-server/per-user dedicated credentials that only have access to the proxy from a specific IP. It doesn't solve your core obfuscation problem but it mitigates the effects of someone seeing the password because it's worth so little.
Regarding the latter option, we came up with a "reverse crypt" password encoding at work that we use for stuff like this. It's only obfuscation because all the data needed to decode the pw is stored in the encoded string, but it prevents people from accidentally seeing passwords in plain text. So you might, for instance, store one of the above passwords in this format, and then write a wrapper for apt that builds apt.conf dynamically, calls the real apt, and at exit deletes apt.conf. You still end up with the pw in plaintext for a little while, but it minimizes the window.
Is public key authentication a valid alternative for you?
As long as all three of these things are true, you're out of luck:
Server needs web access
Users need absolute control over server (root)
You don't want users to have server's web access
If you can't remove #2 or #3, your only choice is to remove #1. Set up an internal server that hosts all the software updates. Keep that one locked down from your other users and don't allow other servers to have web access.
Anything else you try to do is just fooling yourself.
we solved this problem by not asking for proxy passwords on rpm, apt or other similar updates (virus databases, windows stuff etc)
That's a small whitelist of known repositories to add to the proxy.
I suppose you could create a local proxy, point these tools through that, and then have the local proxy interactively ask the user for the external proxy password which it would then apply. It could optionally remember this for a few minutes in obfuscated internal storage.
An obvious attack vector would be for a privileged user to modify this local proxy to do something else with the entered password (as they could with anything else such as an email client that requests it or the windowing system itself), but at least you'd be safe from inadvertent viewing.