I'm working on a web app that uses SharpSVN to checkout from a repo using svn+ssh. I have configured my ssh client correctly in my AppData config file by adding the path to Plink under the [tunnels] section, but checkout requests still give me an error message. The message itself isn't particularly informative (it merely tells me to remove the -q option to better debug SSH connection issues), but I trust it's an authentication issue.
Normally in Tortoise I would just use pageant, but I don't think the IIS user has access to pageant or the keys stored on it.
Two possible solutions come to mind:
Grant IIS user access to the pageant keys
Fix configurations to allow direct storage of user/password inside web.config connectionString
Ideally, I'd like to use the second option, but I have yet to figure out how to get either of these to work. Does anybody have experience with using SVN over ssh in a web application?
Related
I built out a few applications - published intranet environment - and all of them are prompting for a username and password in order to access the application (connection to this site is not private).
I am not sure if this is an IIS Setting that needs to be adjusted, I have tried adding everything on my end with the web config settings. Even explicitly turning authentication off and allowing anonymous users, does not do anything.
So my main question is could this security prompt feature be turned off through IIS since the application web.config is yielding no results?
I have the default settings that visual studio generates along with my database connection string.
There's two different things here. First, the prompt is because Anonymous Authentication is not enabled. If you don't want any sort of authentication or authorization, you can simply enable that. However, more likely, since this is an intranet, you do actually want people to be authenticated; you just don't want them to have to "login". For that, you should enable Windows Authentication.
The second piece, "Your connection to this site is not private", is either because you're running on HTTP, rather than HTTPS, or you are using HTTPS, but don't have a valid SSL cert. The latter is a very common issue in intranet scenarios, since there's usually not a public domain you can bind a cert to. In that scenario, you need to generate a self-signed cert and install it on all machines that need to access the site. Alternatively, you can set up your own internal CA, such that you can issue and validate your own internal certificates.
In either case, the message is there to let the user know that communication with this site will not be encrypted, so sensitive things, like say a username and password, will be transmitted in plain-text and can therefore be intercepted by monitoring the network traffic. That may or may not be a concern for your intranet environment, but the message is not internet/intranet-specific.
I am trying to implement 2FA for logins on my ubuntu machine to increase security alongside with an encrypted home folder. I've opted to use the google authenticator pam module as this also works offline. I've followed the documentation on google's GitHub repository https://github.com/google/google-authenticator/blob/f2db05c52884e4d6c3894f5fd2cf10f0f686aec2/libpam/README.md but it seems to me that you can easily by-pass the MFA as:
the settings are saved in a .google_authenticator file
the settings file contains your secret key that you can use to add the account to the google authenticator app to receive OTP tokens
the .google_authenticator file must sit outside of your encrypted folder as otherwise you can't login
therefore if you boot directly into a root shell (recovery). You can get the secret key from the file and thus bypass the second factor.
Therefore I have the following questions:
am I missing something in the google authenticator set-up?
are there any other solutions that would work offline and can not be so easily bypassed?
therefore if you boot directly into a root shell (recovery)
There is a reason for that, and the reason is as you mentioned above -> recovery.
So, you are not missing anything, except the scope of 2FA: yes it can be bypassed if you have direct access to the server, but it secures remote access (SSH) perfectly fine. Unfortunately there is no way to disallow that.
"Git" gurus, could you please help me in something
As far as I know, Git access could be manipulated through server user/group authentication. but is there is any way that I can use another access authentication regardless the OS server authentication?
I mean like SVN, Users only defined for SVN
You can use ssh, combined with Gitolite (an access control library in Perl, for Git): that will use the matching between ssh public key, and the username defined only for Gitolite.
See more at "How do programs like gitolite work?".
If you are using/installing Git hosting services like GitLab (ruby) or GitbLit (java), then the users can be defined in a dedicated database for those services.
In both cases, the user authentication doesn't rely on the OS.
When I use the appcmd list appool <ApplicationPoolName> /text:* command, it shows me the application pool identity passwords in clear text. I am able to view the passwords in clear text using Get-WMIObject in PowerShell as well. This can be a serious security threat as a user with correct access credentials can easily view the passwords.
The Application Pool in IIS (v7.5) is configured using domain user account/password. In the applicationHost.config file, the password is encrypted using IISWASOnlyAesProvider encryption provider. Still, the password is shown in clear-text when I use any of the above two methods.
Is there any way to encrypt passwords in such a way that they are not shown in clear-text when I use the above two methods?
Unless something has changed, the answer is no. The principal is best stated by Raymond Chen:
'It's like saying that somebody's home windows are insecure because a burglar could get into the house by merely unlocking and opening the windows from the inside. (But if the burglar has to get inside in order to unlock the windows...)'.
The point in summary, is that anyone that can get to your IIS server or can execute a WMI command remotely against your server, or can execute a powershell command against your server has access.
They are assumed to be admins, and are assumed to be trusted, as occassionally admins would need to pull passwords for recovery purposes, or adding nodes to a shared pool if proper notes or password management wasn't done [mainly needed when doing basic authentication on a domain cluster needing shared passwords].
The passwords are only decrypted if you run appcmd as Administrator. If you run as a normal account, you get back the encrypted string.
This will be something like [enc:IISSomethingProvider:…:enc], just as you find it in applicationHost.config.
I'm running Mercurial's hgwebdir.cgi on WinXP over IIS as a central repo for sharing code with my team. I'd like to use ActiveDirectory to authenticate to the server when pushing/pulling through TortoiseHg and/or the command-line hg client. Has anyone done this or seen instructions on how to do this?
I know this has already got an accepted answer, but I did a four part blog post for set up of Mercurial on IIS with Active Directory authentication and using hgwebdir.cgi for push authorization. It goes over the whole process of:
Setting up Mercurial's hg web interface on IIS.
Setting up the IIS authentication for Mercurial so that only users authorized by the active directory (i.e. security groups/users) can view/access the repositories either via the hg web interface or through the file system.
Configuring Active Directory authentication for Mercurial users, so only authorized users can see/access the repositories they have access to.
Configuring hgwebdir.cgi via hgweb.config to set push authorization for specified users to repositories.
Hiding hgwebdir.cgi using Helicon's ISAPI Rewrite in your repository's URL.
Customizing the style/feel of the hg web user interface to your own taste.
Setting up and configuring Mercurial in a Windows/IIS/Active Directory environment (web.archive.org mirror)
hgwebdir.cgi doesn't really authentication, although it can do authorization. You probably want to take care of authentication in the IIS config. (I don't have any experience with IIS, but that's how it works with Apache, at least.)
Authentication is performed by IIS. In IIS Manager, allow Basic Authentication on the directory containing hgwebdir.cgi script. Then edit the Basic Authentication settings and set default domain and realm to your domain name.
In hgweb.config add
allow_push = <username>
replacing <username> with your username(s) for people who will be able to perform push.
This worked for me.
Excuse my necroposting, but I've just released an alpha version of HgLab, which is a Mercurial Server for Windows and it supports Active Directory authentication out of the box.