I am using Chef with kitchen (1.5.0) and vagrant (1.8.1) to manage a user consistently with a new server. My user recipe looks like this:
include_recipe "users"
group 'sudo'
password_secret = Chef::EncryptedDataBagItem.load_secret(node['enterprise_sp']['secret_file'])
jays_password = Chef::EncryptedDataBagItem.load('user_secrets','jgodse', password_secret)['password']
shadow_password = `openssl passwd -1 -salt xyz #{jays_password}`.strip
user 'jgodse' do
action :create
group 'sudo'
system true
shell '/bin/bash'
home '/home/jgodse'
manage_home true
password shadow_password #added to /etc/shadow when chef runs
end
The unencrypted data bag was where I configured my password in the clear. I then encrypted the data bag with a knife command.
This works, but this seems like a really dirty way around the problem of setting my password. I had to do that because the password directive of the user block only takes the shadow password, and that can only be generated by shelling out to an openssl command.
Is there a cleaner way of getting the shadow password without shelling out to an openssl command which generates the password?
You should not be storing the password at all, just hash it beforehand and put the hash in the data bag in the first place. Also using encrypted data bags like this is scary-level unsafe, please take some time to familiarize yourself with the threat model of Chef's encryption tools, this ain't it.
At least pre-calculate the password hash and put that into the data bag.
See https://github.com/chef-cookbooks/users for inspiration.
Related
I need to login into 50 hosts and perform a specific task.
Each host has one of 2 passwords (ex: pass1 and pass2) for a specific user (ex: foo).
I do not know on which host "foo" is set with "pass1" and on which host "foo" is set with "pass2". I have both passwords in a vault file.
Using Ansible, how can I first make a task where I try to login as "foo" with "pass1", then if unsuccessful login with "pass2" and finally setting a fact with the correct vault value (depending on which password worked i.e. "foo" managed to login).
I then want to use that fact to perform additional tasks on that same host.
The developer who created a platform my company uses is no longer working for us and I don't know how I can retrieve the passwords from a custom PHP application
When I look in the PHPmyAdmin the passwords are ecrypted (eg *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19)
How can I change or retrieve these?
If a proper encryption method was used, it's not going to be possible to easily retrieve them.
Just reset them with new passwords.
Edit: The string looks like it is using PASSWORD():
UPDATE user SET password = PASSWORD("newpassword");
How can I decrypt MySQL passwords
You can't really because they are hashed and not encrypted.
Here's the essence of the PASSWORD function that current MySQL uses. You can execute it from the sql terminal:
mysql> SELECT SHA1(UNHEX(SHA1("password")));
+------------------------------------------+
| SHA1(UNHEX(SHA1("password"))) |
+------------------------------------------+
| 2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 |
+------------------------------------------+
1 row in set (0.00 sec)
How can I change or retrieve these?
If you are having trouble logging in on a debian or ubuntu system, first try this (thanks to tohuwawohu at https://askubuntu.com/questions/120718/cant-log-to-mysql):
$ sudo cat /etc/mysql/debian.conf | grep -i password
...
password: QWERTY12345...
Then, log in with the debian maintenance user:
$ mysql -u debian-sys-maint -p
password:
Finally, change the user's password:
mysql> UPDATE mysql.user SET Password=PASSWORD('new password') WHERE User='root';
mysql> FLUSH PRIVILEGES;
mysql> quit;
When I look in the PHPmyAdmin the passwords are encrypted
Related, if you need to dump the user database for the relevant information, try:
mysql> SELECT User,Host,Password FROM mysql.user;
+------------------+-----------+----------------------+
| User | Host | Password |
+------------------+-----------+----------------------+
| root | localhost | *0123456789ABCDEF... |
| root | 127.0.0.1 | *0123456789ABCDEF... |
| root | ::1 | *0123456789ABCDEF... |
| debian-sys-maint | localhost | *ABCDEF0123456789... |
+------------------+-----------+----------------------+
And yes, those passwords are NOT salted. So an attacker can prebuild the tables and apply them to all MySQL installations. In addition, the adversary can learn which users have the same passwords.
Needles to say, the folks at mySQL are not following best practices. John Steven did an excellent paper on Password Storage Best Practice at OWASP's Password Storage Cheat Sheet. In fairness to the MySQL folks, they may be doing it because of pain points in the architecture, design or implementation (I simply don't know).
If you use the PASSWORD and UPDATE commands and the change does not work, then see http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html. Even though the page is named "resetting permissions", its really about how to change a password. (Its befuddling the MySQL password change procedure is so broken that you have to jump through the hoops, but it is what it is).
Hashing is a one-way process but using a password-list you can regenerate the hashes and compare to the stored hash to 'crack' the password.
This site https://crackstation.net/ attempts to do this for you - run through passwords lists and tell you the cleartext password based on your hash.
With luck, if the original developer was any good, you will not be able to get the plain text out. I say "luck" otherwise you probably have an insecure system.
For the admin passwords, as you have the code, you should be able to create hashed passwords from a known plain text such that you can take control of the application. Follow the algorithm used by the original developer.
If they were not salted and hashed, then make sure you do apply this as 'best practice'
just change them to password('yourpassword')
You can't decrypt MySQL passwords, because the are hashed by using MD5 hash algorithm, which is not an encryption algorithm.
Simply best way from linux server
sudo mysql --defaults-file=/etc/mysql/debian.cnf -e 'use mysql;UPDATE user SET password=PASSWORD("snippetbucket-technologies") WHERE user="root";FLUSH PRIVILEGES;'
This way work for any linux server, I had 100% sure on Debian and Ubuntu you win.
I was using the secrets/master.key that was there when the password was encrypted and stored to credentials.xml. But restoring the the same set of credentials.xml and master.key is not working in a new jenkins setup. I even tried to restore secret.key but that too is not working.
I also noticed the ecrypted string in is credentials.xml is also not same for same string.
I am trying to automate the jenkins setup. Is there a way I can get the encrypted password that the jenkins produce from bash?
Jenkins and its plugins usually encrypt strings using the Secret class, which (AFAICT) stores the key under ${JENKINS_HOME}/secrets/hudson.util.Secret.
I don't know of any easy standalone solution, but you can use the Jenkins Script Console (or the groovy CLI command) to attempt to decrypt secret values that you have:
import hudson.util.Secret
Secret a = Secret.fromString('my secret value')
String ciphertext = a.getEncryptedValue()
println ciphertext
// '{AQAAABAAAAAQdIQUuG2AhKoV7mCIcd3PXBdw8ItgchIrvQrQ=}'
// or similar; will change with each new secret object
Secret b = Secret.decrypt(ciphertext)
String plaintext = b.getPlainText()
println plaintext
// 'my secret value'
host=http://$JENKINS_USERNAME:$JENKINS_PASSWORD#localhost:8080
CRUMB=$(curl -s "$host"'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
encrypted_passphrase=$(curl -H "$CRUMB" -d "script=println(hudson.util.Secret.fromString('password').getEncryptedValue())" -X POST $host/scriptText)
I've two text files one with list of server name's, another file with their root password (Unique password)
I have to check all server root password by logging to individual servers. but the issue is, by default ssh root login is disabled. Hence i have to login via my normal user(Test) and switch as root and try the root password which is mentioned in the text file.
is there any way i can get this automated ? highly appreciate if anyone can help me out.
Linux passwords are stored in /etc/shadow files.
They're just hashed plain-text, no magic.
Take a look at python's crypt.crypt() function.
# change 'root' password to 'secret' (demo only)
$ echo root:secret | chpasswd
Password for 'root' changed
# get 'root' hashed password
$ grep root /etc/shadow
root:$6$YvK0oNOm$k.zELztgUM2LajbVGsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0:16673:0:::::
# verify hashed password is correct
$ python -c 'import crypt; print crypt.crypt("secret", "$6$YvK0oNOm$") == "$6$YvK0oNOm$k.zELztgUM2LajbVGsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0"'
True
You can collect shadow files from all servers, and verify them locally.
WARNING: Shadow files are very sensitive.
This is a simple solution.
input.csv
192.168.1.1,secret,$6$YvK0oNOm$k.zELztgUM2LajbVGsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0
192.168.1.2,pAssWd,$6$AbcdeFgh$1234fsXXXXXXXXXXXsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0
192.168.1.3,123456,$6$efsjdsix$8787sdfsdsdfsd232sqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0
check.py
import csv, crypt
for i, j, k in csv.reader(open('input.csv')):
if crypt.crypt(j, k) != k:
print i
result
$ python check.py
192.168.1.2
192.168.1.3
This is a long shot, but I'm trying to add an ssh key to a Heroku for its use in connecting to another server through SFTP:
Net::SFTP.start(HOST, USER, password: PASSWORD, keys: ['yada.pem']) do |sftp|
#sftp = sftp
end
My original solution was to push a .ssh directory to the repo and store yada.pem there. keys would include the path to this file.
A safer solution I've been told would be to store the key in an environment variable on Heroku. Problem is, this would store the key as a string, which I couldn't really pass to SFTP.start.
I could solve the problem in a couple ways:
Is there a way to pass the key as a string with Ruby net/sftp?
Is there a way to add a public key to Heroku so that net/sftp would use it when trying to connect to the remote server?
Thanks
You can pass keys as strings in the option hash under the key :key_data (should be an array of strings, each element of which containing a key in PEM format).
Net::SFTP.start(HOST, USER, password: PASSWORD, key_data: ['PEM key as string']) do |sftp|
#sftp = sftp
end
See Net::SSH#start (to which Net::SFTP#start defers).