How to set up libzmq plaintext auth - zeromq

I want to setup libzmq plaintext authentication for my pub server. How can I do that??
The official doc is too simple. http://api.zeromq.org/4-1:zmq-plain. I set ZMQ_PLAIN_SERVER = 1, But I don't know how to set username and password to the socket.
In Java, I can use
public ZAuth configurePlain(String domain, String filename)
To specify an auth file, then I put usernames and passwords in it like the following:
username1=password1
username2=password2
...
I found czmq has a similar operation http://czmq.zeromq.org/czmq4-0:zauth which I failed to see
the equivalent in libzmq.

Related

How to connect to Windows domain controller using pysmb as user from different domain?

I am able to connect to a W2019 domain controller using python smb modules on Linux using the following type of code:
from smb.SMBConnection import SMBConnection
conn = SMBConnection('administrator', 'p#ssw0rd', 'anything', 'm1')
conn.connect(ip_address)
However, the following doesn't work:
from smb.SMBConnection import SMBConnection
conn = SMBConnection('mydomain\\administrator', 'p#ssw0rd', 'anything', 'm1')
conn.connect(ip_address)
I want to use this interface to connect to a Windows domain controller as a user from a different domain. How can I do that ?
PS1: 'mydomain' is the domain netbios name
PS2: I have also tried passing the 'domain' argument to the constructor. Apparently it is ignored. Authentication succeeds with any value passed in.

Why does an encoded password not work in Liberty

In trying to get a Liberty container to work I'm encountering the following problem.
For a database connection I have an authData section like this in the server.xml:
<authData id="datasourceAuth" user="test" password="{xor}ABCD"/>
When I try to run the server with the password not encoded the database connection works as expected, but when the password is encoded I get this message: Connection refused (Connection refused). ERRORCODE=-4499, SQLSTATE=08001 DSRA0010E: SQL State = 08001, Error Code = -4,499
It looks like the password isn't being decoded when setting up the connection, but I don't understand why or if I am missing something in the configuration.
Encoding of data source passwords is supported in Liberty and ought to be working. I'll provide a more complete example aligning with the style of config you are using, as well as a reference to an official knowledge center doc with its own example
Use the securityUtility to encode the password,
securityUtility encode --encoding=xor test123
output:
{xor}KzosK25tbA==
Configure the value on authData and use the authData on a dataSource,
<authData id="datasourceAuth" user="test" password="{xor}KzosK25tbA=="/>
<dataSource id="testdb" jndiName="jdbc/testdb" containerAuthDataRef="datasourceAuth">
<jdbcDriver libraryRef="db2jcc"/>
<properties.db2.jcc databaseName="TESTDB" serverName="localhost" portNumber="50000"/>
</dataSource>
The authentication data applies when using a resource reference with container authentication.
I'd recommend going back and trying all of the steps again to rule out the possibility of a typo or copy/paste error. If it still doesn't work, then raise a case against OpenLiberty here,
https://github.com/OpenLiberty/open-liberty/issues/new/

Error "SignatureDoesNotMatch". Google Cloud Storage Bucket PUT

I'm loosing my mind.
I'm using Shrine (https://github.com/janko-m/shrine) with Google Cloud Storage (https://github.com/renchap/shrine-google_cloud_storage), but when I start the PUT call I get this:
<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>
The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.
</Message>
<StringToSign>
PUT
image/jpeg
1518399402
/mybucket.appspot.com/7d5e4aad1e3a737fb8d2c59571fdb980.jpg
</StringToSign>
</Error>
I followed this info (http://shrinerb.com/rdoc/classes/Shrine/Plugins/PresignEndpoint.html) for presign_endpoint, but still nothing:
class FileUploader < Shrine
plugin :presign_endpoint, presign_options: -> (request) do
filename = request.params["filename"]
extension = File.extname(filename)
content_type = Rack::Mime.mime_type(extension)
{
content_type: content_type
}
end
end
I tried with and without this (restarting the Rails server everytime).
Where am I wrong?
I also tried with Postman with a PUT to that URL and withtout any content-type. But still nothing.
I read here: https://github.com/GoogleCloudPlatform/google-cloud-node/issues/1976 and here: https://github.com/GoogleCloudPlatform/google-cloud-node/issues/1695
How can I try without Rails?
Is there a REPL (or similar) to try with my credentials and with a file?
You have several options for just uploading a file to Google Cloud Storage as you can see in the official docs here.
For example if you want to use Ruby Client Library, you can use this code:
# project_id = "Your Google Cloud project ID"
# your-bucket-name = "Your Google Cloud Storage bucket name"
# local_file_path = "Path to local file to upload"
# storage_file_path = "Path to store the file in Google Cloud Storage"
require "google/cloud/storage"
storage = Google::Cloud::Storage.new(project: "your-project_id")
bucket = storage.bucket "your-bucket-name"
file = bucket.create_file "local_file_path", "storage_file_path"
puts "Uploaded #{file.name}"
You will need to:
Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the file path of the JSON file that contains your service account key.
as you can see in the Cloud Storage Client Libraries docs here.
However, it looks like the github repo you are using makes use of signed URLs. If you need to create a signed URL you have the instructions here. It exists already the signed_urls method for Ruby in the official repo.
Anyway, the error you were getting is because there was something wrong being made with the signed urls. And precisely there was a commit to the repo you were referencing (https://github.com/renchap/shrine-google_cloud_storage) 7 days ago with the name Fix presigned uploads. It looks like this commit should fix the "PUT" upload (before a "GET" was being signed, therefore it wouldn't work). Still I didn't try it so I don't know if it is actually working.

Inappropriate behaviour of ImapMailReceiver

If the password contains #, ImapMailReceiver failed to return host correctly.
for example:
username: abc#gmail.com
password: abc#123
host: imap.gmail.com
Final URI string
imap://abc#gmail.com:abc#123#imap.gmail.com:993/INBOX
then, ImapMailReceiver identify host as 123#imap.gmail.com
I checked this thread but I use JavaConfig way to create ImapMailReceiver where as the thread is about XML config way.
Any way to walk around of this issue?
Thanks!
UPDATE
Final URI string with encoding
imap://abc%40gmail.com:abc%40123#imap.gmail.com:993/INBOX
in this case, I got AuthenticationException.
May be above information help you to understand the problem.
UPDATE 1
above was an issue from Gmail. One need to enable LESS SECURE APP security option in Gmail to fix Authentication related issue.
RFC 1738 says:
Within the user and password field, any ":", "#", or "/" must be encoded.
I expect you already know how URL encoding works. If you want a refresher, page 18 of the same document is a good place to start.
I encountered the same problem with an Office 365 account, where the user name is like 'your-user#your-company.com' and the host is 'outlook.office365.com'. Without encoding the user name, 'your-company.com' is used as the host, which leads to the following (a bit misleading) error:
javax.mail.AuthenticationFailedException: failed to connect, no password specified?
Activating debugging with mail.debug=true ...
mailProps.put("mail.debug", "true");
receiver.setJavaMailProperties(mailProps);
... gives us the parameters used for the connection to the mail server.
DEBUG IMAPS: protocolConnect returning false, host = your-company.com, user = your-user, password = <null>
To resolve the issue, I used URLEncoder.encode for the username and password, e.g.:
...
new StringBuilder("imaps://")
.append(URLEncoder.encode(mailSettings.getUser(), StandardCharsets.UTF_8.toString()))
.append(":")
.append(URLEncoder.encode(mailSettings.getPassword(), StandardCharsets.UTF_8.toString()))
...

How to specify a user id and password for Visual Studio Code with an authenticating proxy?

How to specify a user id and password for Visual Studio Code with an authenticating proxy?
I've seen the Proxy Server Support on the main VS Code site, but this only mentions two settings ...
"http.proxy": "http://10.203.0.1:5187/"
"http.proxyStrictSSL": false
I've set these, but still no luck, e.g. I can't install extensions ... can't even get a list of them
I suspect it's our proxy, as it needs a user id and password :-(
So how can you set these values?
Set credentials inside the proxy url:
http://username:password#10.203.0.1:5187/
WARNING: Setting your password in plaintext in a file can easily lead to your account being compromised. Further it might violate your companies data security guidelines. https://cwe.mitre.org/data/definitions/256.html
If you don't want to store your credentials in the settings file, fiddler can be used to proxy the call to the proxy. Furthermore, I believe the above only works for proxy servers using basic authentication, the following should work for NTLM.
VSCode Open Settings File:
%APPDATA%\Code\User\settings.json
add the following:
{
"http.proxy": "http://127.0.0.1:8888",
"http.proxyStrictSSL": false
}
Fiddler Confirm fiddler settings:
Fiddler Ensure Fiddler set to automatically authenticate:
VSCode Extensions should now be online:
Update
This is now no longer required following implementation of PR #22369 which was implemented in version 1.15 Proxy server authentication.
In my case I still needed to add:
"http.proxyStrictSSL": false
My favorite response here is David Martin's suggestion of using Fiddler. But in case that is not something you want to undertake, below is how to set your credentials for the proxy.
To specify DOMAIN + username + password: (It will likely not work with a slash, so use %5C in the place of the slash as shown below)
// The proxy setting to use. If not set will be taken from the http_proxy and https_proxy environment variables
"http.proxy": "http://DOMAIN%5Cusername:password#proxy_name_or_ip:port",
"https.proxy": "http://DOMAIN%5Cusername:password#proxy_name_or_ip:port",
// Whether the proxy server certificate should be verified against the list of supplied CAs.
"http.proxyStrictSSL": false,
To specify just username + password:
// The proxy setting to use. If not set will be taken from the http_proxy and https_proxy environment variables
"http.proxy": "http://username:password#proxy_name_or_ip:port",
"https.proxy": "http://username:password#proxy_name_or_ip:port",
// Whether the proxy server certificate should be verified against the list of supplied CAs.
"http.proxyStrictSSL": false,
The venerable CNTLM could help you. You give it your credentials, tell it about the upstream proxy, run it on your local machine, then point VS to the proxy at http://localhost:3128.
http://cntlm.sourceforge.net/
It's a handy solution for any application that doesn't support authenticated proxies.
I really like the solution David Martin posted (further below) using Fiddler, however I wanted to figure out how to use http.proxyAuthorization and here is my solution considering you are OK to have credentials saved in base64 encoded format in the settings.json file.
WARNING: Saving credentials in base64 encoded format is certainly better than plain text, however consider base64 encoding as obfuscation not an encryption and the account can still be compromised - use at your own risk. Consider modifying the ACL of the settings file to reduce read access to it.
Step 1: Encode your credentials using the code below:
var s = #"DOMAIN\user:pass";
var bytes = System.Text.Encoding.UTF8.GetBytes(s);
Console.WriteLine(Convert.ToBase64String(bytes));
RE9NQUlOXHVzZXI6cGFzcw==
Step 2: Update VS Code settings by adding http.proxyAuthorization using the base64 encoded value from above:
{
"https.proxy": "https://internal-proxy.corp.net:8080",
"http.proxyAuthorization": "Authorization: Basic RE9NQUlOXHVzZXI6cGFzcw=="
}
Step 3: Secure the settings.json by updating it's ACL
Since you have stored credentials in the file to increase the security you can modify the ACL of the settings file by removing the local administrators group - make sure only you can read this file. I used the following PowerShell script to remove the local admin group for example:
#Requires -Version 5.1
# PowerShell 5.1 min version required for the code below
$settings = "$env:appdata\Code\$env:username\settings.json"
$acl = (Get-Item $settings).GetAccessControl('Access')
$acl.SetAccessRuleProtection($true,$true) # removes the ACL inheritance
$accesToRemove = $acl.Access | ?{ $_.IsInherited -eq $false -and $_.IdentityReference -eq 'BUILTIN\Administrators' }
$acl.RemoveAccessRule($accesToRemove)
Set-Acl -AclObject $acl $settings
Please take ref to this article.
https://taeguk.co.uk/blog/working-in-visual-studio-behind-the-firewall/
Let’s assume my NTLM login is DOMAIN\User Name and my password is P#ssword!
The format for the credentials needs to be DOMAIN\User Name:P#ssword!, but you need to URL Encode the user name and password.
A simple online URL encoded can translate your username and password to: DOMAIN%5CUser%20Name and P%40ssword!.
Piece all this info into a single string like so: http://DOMAIN%5CUser%20Name:P%40ssword!#proxy-cluster.fqdn.local:8881
Then add this into your User Settings in File, Preferences against the "http.proxy" value:
// Place your settings in this file to overwrite the default settings
{
"http.proxy": "http://DOMAIN%5CUser%20Name:P%40ssword!#proxy-cluster.fqdn.local:8881"
}
"http.proxy": "http://DOMAIN//USER:PASSWORD#wsg.test.com:8080".
Do not forget to add the port.
Use the below command and replace the username,password and ip address of you proxy:port
PS C:\Users\rathakrishnan> npm config set proxy http://username:password#172.18.10.27:3128
PS C:\Users\rathakrishnan> npm install -g #angular/cli
in Visual Studio Code (my version is 1.32.3) you write a request, i.e.
### my request
GET https://defdomain.prefix.com/app/resource
Authorization: bXl1c2VyOnVzZXIyMkBwYXNzd29yZA==
Wherefore the Authorization header is of type "Basic base64encoded" and consists of
myuser:user22#password (username:usercredentials) base64 encoded. Thats all.

Resources