Suppose there are some web sites that require people to type in his or her username and/or password to pass through the authentication dialog to get the actual contents behind it. When people encounter such web sites on a browser he or she can type in his or her username and/or password to pass through the authentication. However, is it feasible to verify it from within Terminal?
The content there is a single zip file, and I was able to download it using curl and -u option to specify my username. However, it still requires me to type in my password to pass through the authentication, and I would like to know how to automatically go through it using my password, without being prompted to type in my password, since I have to download it every day, and want to use my bash script to achieve it.
I use OS X 10.9.2 and I would like to access it from within my Terminal. I have both of my username and password on the authentication for sure. I might be interested to know the most secure way possible to pass through the verification.
You should be able to use curl for this, just change the argument you give for -u to include the password:
curl -u username:password http://www.website.com/content/file.zip
Obviously this requires storing your password in plaintext in your script, which is not ideal for security. If you have SSH access to the server in question, you can create a private/public key pair, then use the public key to log into the server without a password being required (and download the file using scp), which would ideal from a security point of view.
Related
I have default auth implemented in Laravel 7 and works like a charm.
However, I have a very peculiar requirement wherein, the password shouldn't even travel in plain text although SSL is implemented on network.
One way would be to handle it via javascript on login page wherein I encrypt the value of password and send the same to server and then decrypt the same in php before handing it to laravel attemptLogin method.
However, I am not so sure about this approach.
Any help would be awesome.
Solution:
On client side, used crypt.js/aes.min.js and encrypted the password using a key and iv.
In login controller, overrode credentials method and decrypted using openssl_decrypt before passing on to hash check.
This is already discussed on this answer:
It is standard practice to send "plaintext" passwords over HTTPS. The
passwords are ultimately not plaintext, since the client-server
communication is encrypted as per TLS.
And this one:
If you hash on the client side, the hashed password becomes the actual
password (with the hashing algorithm being nothing more than a means
to convert a user-held mnemonic to the actual password).
This means that you will be storing the full "plain-text" password
(the hash) in the database, and you will have lost all benefit of
hashing in the first place.
You may also read this answer for more security options.
I solved it as below:
On client side, used crypt.js/aes.min.js and encrypted the password using a key and iv.
In login controller, overrode credentials method and decrypted using openssl_decrypt before passing on to hash check.
I have a password parameter inside of http authorisation manager But I would like to encrypt it first rather than just putting a plain password.
What would be a solution?
If your aim is to avoid having a plain password in jmx file, then you can pass it on command line using:
-Jpassword=mypassword
And in plan use function __P:
${__P(password)}
Otherwise, you can use a variable and use in a setup thread group a Flow Control Action that will contain a JSR223Preprocessor that will decrypt the password and create a property using:
props.put("password", decryptedPassword)
You can then just use the password using :
${__P(password)}
You cannot, JMeter's JMX test scripts are basically XML files so everyone will be able to guess the password by opening the file in the text editor.
If you put decryption logic somewhere in the test plan then everyone will be able to call the function and decrypt the password.
I would recommend going for __env() function (it's a part of Custom JMeter Functions bundle, can be installed using JMeter Plugins Manager) so the password will be read from your operating system environment variable, this way is more secure and continuous integration friendly.
I'm not sure if I should be asking this here or in Server Fault, feel free to flag the question and migrate it if necessary.
I have some servers which I would like to add an extra security layer. Actually we are using key authentication with passphrase.
We bought some Yubikeys (OTP password generator) that I would like to use. I created a system that validates the Yubikey and that the owner of the Yubikey is authorized to login. In order to use this system I created the ~/.ssh/rc where I ask the user to press the Yubikey and then I use a remote server to validate it.
So far so good, it works perfectly when trying to login via ssh. Here comes the problem: when I try to scp to a server that has this extra protection it throws the following error:
/dev/tty: No such device or address
The error is thrown by the line where I ask the user to enter the OTP:
read -sp "Press your Yubikey..." OTP < /dev/tty
This doesn't happen when I ssh from one server to another that has this extra protection.
scp doesn't start an interactive session so there isn't a terminal to connect to (and so no /dev/tty to read from).
You need to detect that and not try to read from it in that case.
That being said this is likely the wrong way to have gone about doing this. ssh is most likely configured on your system to use pam and there is a pam module for yubikey that can be used to use a yubikey as part of the ssh authentication for an account. See https://developers.yubico.com/yubico-pam/ for the basics.
Their configuration uses the yubikey as the only authentication you will need to configure pam slightly differently to get it to be an additional piece of required login information instead. (Assuming, of course, that you want this to work for the scp case instead of just skipping it for the scp case.)
As pointed out by Etan, you really should just use PAM for this.
Note that you don't have to ask for the user to press the Yubikey either. The pam_yubico.so module will pass through anything you type before the challenge response to the next module in the PAM stack. Look at the try_first_pass flag in pam_unix(8) for instance.
Just type the password, don't press enter, then press the Yubikey.
You can implement your own module to do the database check. Writing PAM modules isn't that hard.
Something like this in /etc/pam.d/sshd:
# auth
auth requisite /usr/local/lib/security/pam_yubico.so id=[yours] key=[yours] authfile=/etc/yubikey_mappings
auth required pam_unix.so no_warn try_first_pass
Try logging in:
% slogin hogfather
YubiKey for `philip': [password][yubikey]
Last login: Thu Mar 5 01:13:55 2015 from twoflower.trouble.is
OK, you want the yubikey authentication plus an authorization, that checks, whether the user is allowed to login at this server.
You might want to take a look at privacyIDEA.
This is an OTP authentication backend. You can even initialize your yubikeys if you like to. Use pam_radius to forward the auth request to privacyIDEA. (no hassle with scp).
privacyIDEA can
check the OTP value of the yubikey AND
use policies to check, if the user is allowed to login on that machine with this token type or token serial number. see readthedocs
The question kind of says it all.
With Maven3 -- is it requisite to store my username and password in plain text via conf/settings.xml?
I had originally stored them, and since removed them. Now I can download dependencies .. but i'm unsure as to whether the settings have been cached or not.
I'm not sure if the encryption works for the proxy password as well...Just give it a try.
Does anyone know how to access the username and password from the Login Config Element in jMeter inside of a BeanShell?
I am trying to access the Login Config Element from and HTTPRequest also. I need to have the password saved with the dot overlay so that it is secure for my companies use. I want to access them from an HTTPRequest so that I don't have to put the username and password in cleartext. Then I want to access it in a BeanShell Post script so that I can change the password before the Simple Data Writer writes the HTTP request output to a file.
Thus far I have been unable to find any useful information on how to do this.
I have tried this script so far which does replace the password written in the Simple Data Listener file but I still have to put it in clear text and I would prefer to put a variable or use a function to access the variable.
import org.apache.jmeter.protocol.http.sampler.HTTPSampleResult;
import java.lang.String;
prev.setHTTPMethod(prev.getHTTPMethod().replace("password","*********"));
Have you checked out the Jmeter API to see if it lists how the username/password are being stored? (it may not)
If the API can't help you, you may be able to do a debug sampler and see if the username/password are being stored as variables/properties.
Beanshell samplers can access both variables and properties.