I am trying to automate setting up of a Keycloak server for an application. Part of that is to set up a Keycloak client using the admin CLI:
kcadm.sh create clients -r MyRealm -s clientId=my-client -s enabled=true
That seems to work; I can see the client is present using the admin console. However, if I try to use that client with the Java client (creating a Keycloak object) even a read-only operation fails due to HTTP 401 Unauthorized. What am I doing wrong?
After much experimenting, I discovered the cause of the problem. If you create a client using the UI, the UI sets the client to be public client with direct access grants enabled by default. The admin CLI however does not, and that results in access through the Java client being denied. You must instead explicitly set those when you create the client using the admin CLI:
kcadm.sh create clients -r MyRealm -s clientId=mc-client -s enabled=true -s directAccessGrantsEnabled=true -s publicClient=true
Related
We are configuring spring cloud config server and below is how my application properties look:
server.port=8080
spring.cloud.config.server.git.uri=https://github.com/myorganization/config-store.git
spring.cloud.config.server.git.searchPaths={application}
spring.cloud.config.server.git.clone-on-start=true
spring.cloud.config.server.git.skipSslValidation=true
spring.cloud.config.server.git.ignore-local-ssh-settings=true
spring.cloud.config.server.git.username=MyUser
spring.cloud.config.server.git.password=MyPassword
spring.cloud.config.server.git.default-label=develop
spring.application.name=config-server
spring.security.user.name=root
spring.security.user.password=password
I am able to login to the github url i.e. https://github.com/myorganization/config-store.git using the username MyUser and password MyPassword as per above properties but when i am trying to start my config server using: ./mvnw spring-boot:run i am getting the below error:
Caused by: org.eclipse.jgit.errors.TransportException: https://github.com/myorganization/config-store.git: not authorized
i have tried out many things but running out of any ideas now, would appreciate any help in advance.
The use of username and password to do git operations on GitHub is deprecated and it no longer works, as described here.
You should generate a Personal Access Token, follow the official documentation to do it. Then you can add the token to the spring configuration as it was you password:
spring.cloud.config.server.git.username=<yourusername>
spring.cloud.config.server.git.password=<yourtoken>
Beginning August 13, 2021, we will no longer accept account passwords when authenticating Git operations on GitHub.com.
From : https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/
Thx to: https://stackoverflow.com/a/70443213/592355
For Github Enterprise Server, our options (also) are limited, but considered secure & well documented:
Authenticating with the API
You can authenticate with the API in different ways.
...
Personal access tokens (-> 1. https://stackoverflow.com/a/69663073/592355, 2. https://stackoverflow.com/a/70580891/592355 ?)
OAuth Apps...
GitHub Apps...
Authenticating with the command line
...
HTTPS ...
SSH ...
When SSH, for the spring-cloud-end:
Use "local ssh environment" or see: https://docs.spring.io/spring-cloud-config/docs/current/reference/html/#_git_ssh_configuration_using_properties
I have a spring boot application deployed on pivotal cloud foundry.
I'm trying to tunnel (cf ssh) to that application in pcf from my spring boot application, but not able to find any api or client libraries to achieve it.
Actual cli command to tunnel pcf:
cf ssh -N -T -L 10001:localhost:10001 ms name
Any suggestions are welcome.
If you're trying to write Java code that would do the same thing as the cf ssh command, that should be possible. It's standard SSH, but with short-lived credentials so the trick will be generating credentials that you can use from your app.
Here's an example of using a standard SSH/SCP/SFTP client, note that ssh.bosh-lite.com will be your SSH domain, which you can see from cf curl /v2/info:
$ ssh -p 2222 cf:$(cf app app-name --guid)/0#ssh.bosh-lite.com
$ scp -P 2222 -oUser=cf:$(cf app app-name --guid)/0 my-local-file.json ssh.bosh-lite.com:my-remote-file.json
$ sftp -P 2222 cf:$(cf app app-name --guid)/0#ssh.bosh-lite.com
https://github.com/cloudfoundry/diego-ssh#cloud-foundry-via-cloud-controller-and-uaa
That said, you should be able to do something similar with any standard SSH Java library.
As mentioned above, the trick is in getting credentials. The username will be the format cf:application-guid/app-instance-number, which is easy, but the password needs to be generated with cf ssh-code, or the comparable call to the UAA API.
Ex: curl -vv -H 'Accept: application/json' -H "Authorization: $(cf oauth-token)" "https://uaa.run.pivotal.io/oauth/authorize?client_id=ssh-proxy&response_type=code"
This example uses curl to send the request and cf oauth-token to get a valid Oauth2 bearer token for the logged in user. You could get a valid bearer token in a number of ways, including making direct API calls or using the cf-java-client. It just needs to be a valid token for the user that should perform the SSH action (i.e. it would be the user that's running cf ssh).
Hope that helps!
I'm having an issue with the Shield plugin for Elasticsearch. I have installed elasticsearch so that it runs as a service, and I can see that it is running on port 9200.
If I enter curl http://localhost:9200 in my Mac terminal I get the correct elasticsearch output...
Recently I have been trying to upgrade from basic authentication to shield authentication. I installed shield and license using the following commands:
/usr/share/elasticsearch/bin/plugin install license/latest
/usr/share/elasticsearch/bin/plugin install shield/latest
This successfull installs shield and license plugins. They are contained within my /usr/share/elasticsearch/plugins directory on my Vagrant box.
So, now if I try to use curl -XGET http://localhost:9200 again, I get the following response:
{"error":{"root_cause":[{"type":"security_exception","reason":"missing
authentication token for REST request
[/]","header":{"WWW-Authenticate":"Basic
realm=\"shield\""}}],"type":"security_exception","reason":"missing
authentication token for REST request
[/]","header":{"WWW-Authenticate":"Basic
realm=\"shield\""}},"status":401}
This is good. I can not reach elasticsearch without proper authentication. So now I want to create a user to authenticate to elasticsearch. I use the command:
sudo ./esusers useradd testuser -p password -r admin
This creates a user 'testuser' with password 'password' with admin privileges.
I can verify that this user has been created using the following command:
sudo ./esusers list
This returns:
testuser : admin
So I now try to run the curl command again with this user:
curl -u testuser:password -XGET http://localhost:9200
But I get the same error message as before when I tried without the admin user.
What is the issue here? Why is my admin user not authenticating?
You said that your verified the user is created using sudo ./esusers list but still the curl command fails. Chances are that you are using custom directory for elasticsearch even though the home dir is /usr/share/elasticsearch. And due to this, the esusers creates the users in /etc/elasticsearch/shield/ directory but they need to be copied to the custom dir, in case you are using one.
I know you've solved this differently but I'm answering this in the hope that it helps someone else in future. Can you confirm regarding the custom dir? For e.g in my case, the custom dir was /data/elasticsearch and the home dir was /usr/share/elasticsearch
I am using Hydra v8.1 downloaded and compiled from a tar file. I've managed to solve the standard problem of libssh support and now when I try to make an attack(I think it's called dictionary attack) on an SSH server, after specifying the following command:
hydra -l {username} -s {port} -P /Users/{UserName}/Desktop/{file}.txt {ip} ssh
I get the following output:
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2015-09-30 10:59:49
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 7 tasks per 1 server, overall 64 tasks, 7 login tries (l:1/p:7), ~0 tries per task
[DATA] attacking service ssh on port {port}
[ERROR] target ssh://{ip}:{port}/ does not support password authentication
I have enabled support for the required libraries and I am running an OS X environment.
Can someone indicate a solution to this problem? Thank you.
Note: If I manually log in with the username and password, the authentication grants access to the server.
from another board:
https://security.stackexchange.com/questions/183848/hydra-fails-with-error-target-ssh-192-168-16-12822-does-not-support-passw
SSH supports several different authentication mechanisms. The password authentication mechanism has the client send the password to the server as a password. The more-common keyboard-interactive authentication mechanism opens a channel between the client and an authentication process on the server. The client allows the user to directly interact with the authentication process, which is usually just a password prompt. This allows more complex features like multiple-factor authentication and pre-authentication warnings and checks.
So your target probably supports keyboard-interactive and not password authentication.
I am having a problem with my server and so far couldn't find any solution for this. When I try to add a server from a server manager (windows server 2012) I can see only the kerberos security error. Both servers are in the same domain(i have tried from several servers from domain and got the same error).
The strange thing is when I unjoin the problematic server from domain and rejoin it with another name it works normally. But the problem is to make it work with existing name. Anyhelp will be highly appreciated
thanks in advance.
Late reply, but I've just encountered the same error and hope this solution proves useful to others.
Situation: I had to wipe and reinstall a virtual server on which I'd previously had to set some Service Principal Names, and some SPNs for a service account. Turns out the SPNs were still there for the old server/account and I had to remove them.
I recommend checking for and removing rogue SPNs to resolve this. Use the following commands in an elevated command prompt:
setspn -l <servername/username>
In my case I had problems with MBAM, the Bitlocker admin tool, so for example I used:
setspn -l mbam01
Which gave me the output (changed names to protect the innocent):
Registered ServicePrincipalNames for CN=MBAM01,OU=Member Servers,DC=corp,DC=domainname,DC=com:
termserv/mbam01.corp.domainname.com
termserv/mbam01
http/mbam01.corp.domainname.com
http/mbam01
HOST/MBAM01
HOST/mbam01.corp.domainname.com
This will list the SPNs associated with the server or user account. Then you remove the errant SPNs with this command:
setspn -d <listed service> <servername/username>
In my case it turned out the mbamapppool user had http/mbam01 and http/mbam01.corp.domainname.com associated with it, causing Server Manager to fail to poll the server. I removed the http/ refs from the user and then added them to the server with the following commands:
setspn -d http/mbam01 corp\mbamapppooluser
setspn -d http/mbam.corp.domainname.com corp\mbamapppooluser
setspn -s http/mbam01 mbam01
setspn -s http/mbam01.corp.domainname.com mbam01
I then refreshed Server Manager and it polled the server successfully, and the Kerberos Security Error had gone.