I need to update an application configuration by inserting bcrypt hash into file config.yml at specific lines.
echo -e "$Enter password for user1"
read -p ": " user1_pass
echo -e "$Enter password for user2"
read -p ": " user2_pass
user1_hash=$(htpasswd -bnBC 10 "" $user1_pass | tr -d ':\n')
user2_hash=$(htpasswd -bnBC 10 "" $user2_pass | tr -d ':\n')
$user1_hash should be placed inline 2 and $user2_hash inline 7.
config.yml
user1:
hash: "$2y$12$shEKzuVfogdZFbbraSqhwOOh96hfxe1NzLQbpmHJvgDUeRfRrkf3a"
reserved: "true"
roles: "user"
user2:
hash: "$2y$12$Fkc5GAp9Za5caIfHjBgNQ.jNEss0SJfCLTlm9EhAcjzPVy.kLriBa"
reserved: "true"
roles: "user"
What is the best approach to do that using bash?
You can edit the file using Ruby :
#!/usr/bin/ruby
require 'yaml'
obj = YAML.load_file('config.yml')
bcrypt_hash='$2y$12$shEKzuVfogdZFbbraSqhwOOh96hfxe1NzLQbpmHJvgDUeRfRrkf3a'
obj['user1']['hash'] = bcrypt_hash
obj['user2']['hash'] = bcrypt_hash
puts YAML.dump(obj)
This will output :
... More yml content
user1:
hash: "$2y$12$shEKzuVfogdZFbbraSqhwOOh96hfxe1NzLQbpmHJvgDUeRfRrkf3a"
user2:
hash: "$2y$12$shEKzuVfogdZFbbraSqhwOOh96hfxe1NzLQbpmHJvgDUeRfRrkf3a"
... More yml content
Hope it helps!
Use the keyword echo to write into the file
echo -e "$Enter password for user1"
read -p ": " user1_pass
echo -e "$Enter password for user2"
read -p ": " user2_pass
user1_hash=$(htpasswd -bnBC 10 "" $user1_pass | tr -d ':\n')
user2_hash=$(htpasswd -bnBC 10 "" $user2_pass | tr -d ':\n')
echo "user1:" > config.yml
echo " hash: " + $user1_hash >> config.yml
echo "user2:" >> config.yml
echo " hash: " + $user2_hash >> config.yml
the contents of config.yml file being
user1:
hash: + $2y$10$7S0fC4wTqAfm9ytJ5BquC.3KITsqLoqPXHyj3mzgXdvw10TRIybni
user2:
hash: + $2y$10$jcYMrOsdIzwR3AlSONNfCuc.B5AoGVV4i31KSsx0PLlpn17issJfe
Related
I put the following to after.sh to autoconfigure the Xdebug form project:
#!/bin/sh
echo "Configuring Xdebug"
ip=$(netstat -rn | grep "^0.0.0.0 " | cut -d " " -f10)
xdebug_config="/etc/php/$(php -v | head -n 1 | awk '{print $2}'|cut -c 1-3)/mods-available/xdebug.ini"
echo "IP for the xdebug to connect back: ${ip}"
echo "Xdebug Configuration path: ${xdebug_config}"
echo "Port for the Xdebug to connect back: ${XDEBUG_PORT}"
echo "Optimize for ${IDE} ide"
if [ $IDE=='atom' ]; then
echo "Configuring xdebug for ATOM ide"
if [ -z ${xdebug_config} ]; then
sudo touch ${xdebug_config}
fi
sudo cat <<EOL >${xdebug_config}
zend_extension = xdebug.so
xdebug.remote_enable = 1
xdebug.remote_host=${ip}
xdebug.remote_port = ${XDEBUG_PORT}
xdebug.max_nesting_level = 1000
xdebug.remote_handler=dbgp
xdebug.remote_mode=req
xdebug.remote_autostart=true
xdebug.remote_log=xdebug.log
EOL
fi
Also I have the following settings to Homestead.yaml:
ip: 192.168.10.10
memory: 2048
cpus: 1
provider: virtualbox
authorize: ~/.ssh/id_rsa.pub
timeout: 120
keys:
- ~/.ssh/id_rsa
folders:
-
map: /home/pcmagas/Kwdikas/php/apps/ellakcy_member_app/
to: /home/vagrant/code
sites:
-
map: homestead.test
to: /home/vagrant/code/web
type: symfony
databases:
- homestead
- homestead-test
variables:
- key: database_host
value: 127.0.0.1
- key: database_port
value: 3306
- key: database_name
value: homestead
- key: database_user
value: homestead
- key: database_password
value: secret
- key: smtp_host
value: localhost
- key: smtp_port
value: 1025
- key: smtp_user
value: no-reply#example.com
- key: IDE
value: atom
- key: XDEBUG_PORT
value: 9091
name: ellakcy-member-app
hostname: ellakcy-member-app
But for some reason it cannot read the values from enviromental variables defined in Homestead.yml as seen in the following output:
ellakcy-member-app: IP for the xdebug to connect back: 10.0.2.2
ellakcy-member-app: Xdebug Configuration path: /etc/php/7.2/mods-available/xdebug.ini
ellakcy-member-app: Port for the Xdebug to connect back:
ellakcy-member-app: Optimize for ide
ellakcy-member-app: Configuring xdebug for ATOM ide
As you can see it fails to read values from the IDE and XDEBUG_PORT do you knwo why and how I can fix that?
You can put a parse_yaml.sh:
#!/bin/sh
parse_yaml() {
local prefix=$2
local s='[[:space:]]*' w='[a-zA-Z0-9_]*' fs=$(echo #|tr # '\034')
sed -ne "s|^\($s\)\($w\)$s:$s\"\(.*\)\"$s\$|\1$fs\2$fs\3|p" \
-e "s|^\($s\)\($w\)$s:$s\(.*\)$s\$|\1$fs\2$fs\3|p" $1 |
awk -F$fs '{
indent = length($1)/2;
vname[indent] = $2;
for (i in vname) {if (i > indent) {delete vname[i]}}
if (length($3) > 0) {
vn=""; for (i=0; i<indent; i++) {vn=(vn)(vname[i])("_")}
printf("%s%s%s=\"%s\"\n", "'$prefix'",vn, $2, $3);
}
}'
}
And into after.sh
#!/bin/sh
# include parse_yaml function
. parse_yaml.sh
# read yaml file
eval $(parse_yaml zconfig.yml "config_")
# access yaml content
echo $config_development_database
thanks -> https://gist.github.com/pkuczynski/8665367
In my case I tried the approach of having a file named xdebug.conf where I place anything that the default xdebug.conf needs to get rewritten:
zend_extension = xdebug.so
xdebug.remote_enable = 1
xdebug.remote_host = $ip
xdebug.remote_port = 9091
xdebug.max_nesting_level = 1000
xdebug.remote_handler=dbgp
xdebug.remote_mode=req
xdebug.remote_autostart=true
xdebug.remote_log=xdebug.log
The $ip indicates the auto-replaced value with the correct ip in order for the xdebug to get connected into. The script that actually updates the xdebug configuration with the appropriate values is this one in my after.sh
#!/bin/sh
code_path="/home/vagrant/code"
cd $code_path
# Some other bootstrapping
echo "Configuring Xdebug"
ip=$(netstat -rn | grep "^0.0.0.0 " | cut -d " " -f10)
xdebug_config="/etc/php/$(php -v | head -n 1 | awk '{print $2}'|cut -c 1-3)/mods-available/xdebug.ini"
echo "Xdebug config file ${xdebug_config}"
if [ -f "${code_path}/xdebug.conf" ]; then
echo "Specifying the ip with ${ip}"
sed "s/\$ip/${ip}/g" xdebug.conf > xdebug.conf.tmp
echo "Moving Into ${xdebug_config}"
cat xdebug.conf.tmp
sudo cp ./xdebug.conf.tmp ${xdebug_config}
else
echo "File not found"
fi
The last step is to .gitignore any xdebug.conf* file. So now the developer has to create his own xdebug.conf.
I would like to execute:
echo aA1.-_#*~^%\':\;?!#=/ | passwd --stdin user
It can be logged in with "aA1.-_#*~^%':;?!#=/".
I tried
str = "aA1.-_#*~^%':;?!#=/"
password = str.gsub("'", "\\\\'").gsub(";", "\\;")
passwd_command = "echo" +
" #{password}" +
" | passwd" +
" --stdin user"
but the result was:
echo aA1.-_#*~^%\\':\\;?!#=/ | passwd --stdin aaa
I executed it:
[root#localhost ~]# echo aA1.-_#*~^%\\':\\;?!#=/ | passwd --stdin aaa
>
The command has not finished. Do you have any suggestions?
I suggest Shellwords#escape because this is its purpose.
require 'shellwords'
Shellwords.escape("aA1.-_#*~^%':;?!#=/")
#=> "aA1.-_\\#\\*\\~\\^\\%\\':\\;\\?\\!#\\=/"
I don't know shellwords, but aren't the default Ruby methods sufficient? Like %q and %x?
See for example: https://simpleror.wordpress.com/2009/03/15/q-q-w-w-x-r-s/
Code typically speaks better than thousand bytes. So did this demo code that does not obey my logic. Typically I trust compilers and programs, so I think I have a typo or something somewhere.
Please, could you point it out to me?
copy & paste code below into mydemo.sh file, and run it using command sh ./mydemo.sh
in my ref system this prints out:
mytux:~# ./mydemo.sh
This should spit out:
{USER1NAME} {Firstname Surname} {user1name}
{USER2NAME} {Secondname Surname} {user2name}
{USER3NAME} {Thirdname Surname} {user3name}
---- but it spits out:
{USER1NAME} {somestring: user1name}, {user1name}
{USER2NAME} {somestring: user2name}, {user2name}
{USER3NAME} {somestring: user3name}, {user3name}
----
Why so and how to fix it?
and here's the code:
#!/bin/sh
echo "# Firstname Surname, Company">usernames.txt
echo "somestring: user1name">>usernames.txt
echo "# Secondname Surname, Company">>usernames.txt
echo "somestring: user2name">>usernames.txt
echo "# Thirdname Surname, Company">>usernames.txt
echo "somestring: user3name">>usernames.txt
echo "This should spit out:"
echo "{USER1NAME} {Firstname Surname}, {user1name}"
echo "{USER2NAME} {Secondname Surname}, {user2name}"
echo "{USER3NAME} {Thirdname Surname}, {user3name}"
echo "---- but it spits out:"
echo "{USER1NAME} {somestring: user1name}, {user1name}"
echo "{USER2NAME} {somestring: user2name}, {user2name}"
echo "{USER3NAME} {somestring: user3name}, {user3name}"
echo "---- See:"
cat usernames.txt|awk \
'BEGIN { $mylink="";} \
{ \
if(match($0,"^#")!=0) \
{ \
split($0, a, ","); \
$mylink=$a[1]; \
} \
else \
{ \
if(length($mylink)>0) \
{ \
print "{" toupper($2) "} {" $mylink "}, {" $2 "}"; \
} \
$mylink=""; \
} \
}'
echo "----"
echo "Why so and how to fix it?"
Is this what you're trying to achieve? It would be easier to post the input text as is.
$ awk -F"[, ]" -v OFS="}, {" '
/^#/{n=$2" "$3;next}
{print "{" toupper($2), n, $2"}"}
' usernames.txt
{USER1NAME}, {Firstname Surname}, {user1name}
{USER2NAME}, {Secondname Surname}, {user2name}
{USER3NAME}, {Thirdname Surname}, {user3name}
i tried to setup squid3 with multiple auth_param. Basically, the first choice should be basic_ldap_auth and if this doesnt return OK it should try basic_ncsa_auth with the same values. As far as i know squid doesnt support it however there is the possibility to use "external" ACL
auth_param basic program /usr/lib/squid3/basic_fake_auth
external_acl_type MultAuth %SRC %LOGIN %{Proxy-Authorization} /etc/squid3/multAuth.pl
acl extAuth external MultAuth
my "multAuth.pl"
use URI::Escape;
use MIME::Base64;
$|=1;
while (<>) {
($ip,$user,$auth) = split();
# Retrieve the password from the authentication header
$auth = uri_unescape($auth);
($type,$authData) = split(/ /, $auth);
$authString = decode_base64($authData);
($username,$password) = split(/:/, $authString);
# do the authentication and pass results back to Squid.
$ldap = `/bin/bash auth/ldap.sh`;
if ($ldap == "OK") {
print "OK";
}
$ncsa = `/bin/bash auth/ncsa.sh`;
if ($ncsa == "OK") {
print "OK";
} else {
print "ERR";
}
}
now i am trying to run with ncsa.sh and ldap.sh the "normal" shell command for these auth methods.
./basic_ldap_auth -R -b "dc=domain,dc=de" -D "CN=Administrator,CN=Users,DC=domain,DC=de" -w "password" -f sAMAccountName=%s -h domain.de
user password
and
./basic_ncsa_auth /etc/squid3/users
user password
Therefor i ran:
auth/ncsa.sh
#!/usr/bin/expect
eval spawn [lrange $argv 0 end]
expect ""
send [lindex $argv 1]
send '\r'
expect {
"OK" {
echo OK
exp_continue
}
"ERR" {
echo ERR
exp_continue
}
interact
with
./ncsa.sh "/usr/lib/squid3/basic_ncsa_auth /etc/squid3/users" "user password"
and i generate the following error:
couldn't execute "/usr/lib/squid3/basic_ncsa_auth /etc/squid3/users": no such file or directory
while executing
"spawn {/usr/lib/squid3/basic_ncsa_auth /etc/squid3/users} {user password}"
("eval" body line 1)
invoked from within
"eval spawn [lrange $argv 0 end]"
(file "./ncsa.sh" line 2)
Besides this error, i am not sure how to pass the variables (username & password) forward and i am also not sure how to answer the shell questions like for example the user & pw input for basic_ldap_auth .
Is there a nice way how to solve that? or any other good plan ?
thanks!
FWIW, the following script helped me transition from passwd based to LDAP based authentication.
Contrary to your requirements, my script acts the other way around: It first checks passwd, then LDAP.
#!/usr/bin/env bash
# multiple Squid basic auth checks
# originally posted here: https://github.com/HackerHarry/mSquidAuth
#
# credits
# https://stackoverflow.com/questions/24147067/verify-user-and-password-against-a-file-created-by-htpasswd/40131483
# https://stackoverflow.com/questions/38710483/how-to-stop-ldapsearch1-from-base64-encoding-userpassword-and-other-attributes
#
# requires ldap-utils, openssl and perl
# tested with Squid 4 using a "auth_param basic program /usr/lib/squid/mSquidAuth.sh" line
# authenticate first against squid password file
# if this fails, try LDAP (Active Directory) and also check group membership
# variables
# sLOGFILE=/var/log/squid/mSquidAuth.log
sPWDFILE="/etc/squid/passwd"
sLDAPHOST="ldaps://dc.domain.local:636"
sBASE="DC=domain,DC=local"
sLDS_OPTIONS="-o ldif-wrap=no -o nettimeout=7 -LLL -P3 -x "
sBINDDN="CN=LDAP-read-user,OU=Users,DC=domain,DC=local"
sBINDPW="read-user-password"
sGROUP="Proxy-Users"
# functions
function _grantAccess {
# echo "access granted - $sUSER" >>$sLOGFILE
echo "OK"
}
function _denyAccess {
# echo "access denied - $sUSER" >>$sLOGFILE
echo "ERR"
}
function _setUserAndPass {
local sAuth="$1"
local sOldIFS=$IFS
IFS=' '
set -- $sAuth
IFS=$sOldIFS
# set it globally
sUSER="$1"
sPASS="$2"
}
# loop
while (true); do
read -r sAUTH
sUSER=""
sPASS=""
sSALT=""
sUSERENTRY=""
sHASHEDPW=""
sUSERDN=""
iDNCOUNT=0
if [ -z "$sAUTH" ]; then
# echo "exiting" >>$sLOGFILE
exit 0
fi
_setUserAndPass "$sAUTH"
sUSERENTRY=$(grep -E "^${sUSER}:" "$sPWDFILE")
if [ -n "$sUSERENTRY" ]; then
sSALT=$(echo "$sUSERENTRY" | cut -d$ -f3)
if [ -n "$sSALT" ]; then
sHASHEDPW=$(openssl passwd -apr1 -salt "$sSALT" "$sPASS")
if [ "$sUSERENTRY" = "${sUSER}:${sHASHEDPW}" ]; then
_grantAccess
continue
fi
fi
fi
# LDAP is next
iDNCOUNT=$(ldapsearch $sLDS_OPTIONS -H "$sLDAPHOST" -D "$sBINDDN" -w "$sBINDPW" -b "$sBASE" "(|(sAMAccountName=${sUSER})(userPrincipalName=${sUSER}))" dn 2>/dev/null | grep -cE 'dn::? ')
if [ $iDNCOUNT != 1 ]; then
# user needs a unique account
_denyAccess
continue
fi
# get user's DN
# we need the extra grep in case we get lines back starting with "# refldap" :/
sUSERDN=$(ldapsearch $sLDS_OPTIONS -H "$sLDAPHOST" -D "$sBINDDN" -w "$sBINDPW" -b "$sBASE" "(|(sAMAccountName=${sUSER})(userPrincipalName=${sUSER}))" dn 2>/dev/null | perl -MMIME::Base64 -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode_base64($1)/eg;print' | grep -E 'dn::? ' | sed -r 's/dn::? //')
# try and bind using that DN to check password validity
# also test if that user is member of a particular group
# backslash in DN needs special treatment
if ldapsearch $sLDS_OPTIONS -H "$sLDAPHOST" -D "$sUSERDN" -w "$sPASS" -b "$sBASE" "name=${sGROUP}" member 2>/dev/null | perl -MMIME::Base64 -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode_base64($1)/eg;print' | grep -q "${sUSERDN/\\/\\\\}"; then
_grantAccess
continue
fi
_denyAccess
done
I need to execute a Bash command in a Ruby script. There are about 6 ways to do this according to "6 Ways to Run Shell Commands in Ruby" by Nate Murray and a few other googled sources.
print "enter myid: "
myID = gets
myID = myID.downcase
myID = myID.chomp
print "enter host: "
host = gets
host = host.downcase
host = host.chomp
print "winexe to host: ",host,"\n"
command = "winexe -U domain\\\\",ID," //",host," \"cmd\""
exec command
For what it's worth you can actually chain those methods, and puts will print a newline for you, so this could just be:
print "enter myid: "
myID = STDIN.gets.downcase.chomp
print "enter host: "
host = STDIN.gets.downcase.chomp
puts "winexe to host: #{host}"
command = "winexe -U dmn1\\\\#{myID} //#{host} \"cmd\""
exec command
It looks like there may have been trouble with how you were putting your command string together.
Also, I had to refer to STDIN directly.
# Minimal changes to get it working:
print "enter myid: "
myID = STDIN.gets
myID = myID.downcase
myID = myID.chomp
print "enter host: "
host = STDIN.gets
host = host.downcase
host = host.chomp
print "winexe to host: ",host,"\n"
command = "echo winexe -U dmn1\\\\#{myID} //#{host} \"cmd\""
exec command
Compact version:
print "enter myid: "
myID = STDIN.gets.downcase.chomp
print "enter host: "
host = STDIN.gets.downcase.chomp
puts "winexe to host: #{host}"
exec "echo winexe -U dmn1\\\\#{myID} //#{host} \"cmd\""
Last two lines with printf style:
puts "winexe to host: %s" % host
exec "echo winexe -U dmn1\\\\%s //%s \"cmd\"" % [myID, host]
Last two lines with plus string concatenation:
puts "winexe to host: " + host
exec "echo winexe -U dmn1\\\\" + myID + " //" + host + " \"cmd\""
Last two lines with C++ style append:
puts "winexe to host: " << host
exec "echo winexe -U dmn1\\\\" << myID << " //" << host << " \"cmd\""