I'm using the "mavenDeployer" to use ssh/scp during "uploadArchives" task,
with the wagon ssh utilities.
Rather than code a password into the build.gradle, I'd like to rely on proper ssh setup. Specifically, I want to have the user specify their private key, and have that private key loaded in their environment (ssh-agent, ssh-add, etc). The maven repo has a shared userid,
and all real users have their .pub key properly added to the "authorized_keys" file
of shared userid.
Although maven/ant seem to have a "privateKey" attribute, and the Gradle DSL
accepts it, it doesn't seem to have any effect when I set it:
mavenDeployer {
configuration = pr.configurations.publishJars
String keyFile = System.properties["user.mavenKey"]
repository(url: "scp://maven.company.com/path/to/maven") {
logger.info("Using SSH key: ${keyFile}")
authentication(userName: "maven", privateKey: keyFile)
}
If I code in the actual password as per the example in gradle documentation,
it does work, so I know that things are working. Also, changing privateKey
to privatekey (all lower case) causes a property error, so I know the
property exists and is recognized at some level.
And I know the ssh key itself is working:
% ssh -i ~/.ssh/mavenKey maven#maven.company.com ls /
[ no errors, output trimmed ]
But when I run it, I get prompted for shared userid's password:
% gradle uploadArchives
[... stuff ...]
Using SSH key: /homes/klash/.ssh/mavenKey
Password for maven#evomaven.englab.juniper.net:
As you can see, it is NOT prompting for passphrase for the key.
Make sure that your private key doesn't require a pass phrase.
Can you access the remote from command line using ssh maven#evomaven.englab.juniper.net without being prompted for password?
If not use ssh-copy-id to send your public key to the server.
Related
Recently I was able to run my app with ibmcom/mq:9.1.3.0-r3 and following Dockerfile definition:
FROM ibmcom/mq:9.1.3.0-r3
ENV LICENSE accept
ENV MQ_QMGR_NAME QM_MY_APP
USER root
RUN usermod -a -G mqm admin
RUN usermod -a -G mqm root
RUN useradd -g mqm my_user_id
ADD QueueManager /etc/mqm/myapp.mqsc
USER mqm
But now ibmcom/mq:9.1.3.0-r3 is not available on Dockerhub. When I pull and run other available docker versions (like 9.2.0.0-r1 and up) it throws following error because of commands in Dockerfile:
useradd: group 'mqm' does not exist
I read the MQ Custom Docker Image - MQM Group Not Found, where the user "chughts" suggests to "use htpasswd with bcrypt to create the users."
Does anyone knows, how to use htpasswd to create the users in mq?
Thanks a lot for Your support in advance!
EDIT: I need to create an user via htpasswr for debug and local tests only. In production envirounment the qm's default user settings is used.
The developer configuration of the container, does it using go modules.
https://github.com/ibm-messaging/mq-container/blob/master/cmd/runmqdevserver/main.go
It looks up the password from the environment setting, then runs
appPassword, set := os.LookupEnv("MQ_APP_PASSWORD")
if set {
err = htpasswd.SetPassword("app", appPassword, false)
if err != nil {
logTerminationf("Error setting app password: %v", err)
return err
}
}
The package htpasswd is in https://github.com/ibm-messaging/mq-container/blob/master/internal/htpasswd/htpasswd.go
which has a SetPassword function
// SetPassword sets encrypted password for the user into htpasswd file
func SetPassword(user string, password string, isTest bool) error {
...
which right at the end saves the encrypted password
// Update the password file
return passwords.updateHtPasswordFile(isTest)
which does
func (htpfile mapHtPasswd) updateHtPasswordFile(isTest bool) error {
file := "/etc/mqm/mq.htpasswd"
if isTest {
file = "my.htpasswd"
}
return ioutil.WriteFile(file, htpfile.GetBytes(), 0660)
}
This go code gets executed when building the developer image. I need to verify if this code stays on the machine, but you should be able to crib from the repo, to create your own go code that
invokes htpasswd.SetPassword, passing in your own user / password combinations.
Update: Looks like the go runtime as well as the code is removed from
the image, so you have options, but the easiest might be to clone the
repo, and build your own custom developer image version, with the
extra users.
Instructions for building a custom developer image can be found here - https://github.com/ibm-messaging/mq-container/blob/master/docs/building.md
Locally, we use a private source URL for our poetry configurations, and the credentials will be found in our pip.ini. However, in our CI/CD pipeline we obtain a secret which changes the PIP_EXTRA_INDEX_URL. This is not enough, because we need to change the pyproject.toml (see below) with this URL.
[[tool.poetry.source]]
name = "private"
url = "https://someplace.pkgs.visualstudio.com/_packaging/somewhere/pypi/simple/"
secondary = true
This is not changed with poetry config repositories.private "$PIP_EXTRA_INDEX_URL". How should we change this then?
You can just the link without the credentials and specify the login like this:
poetry config repositories.someplace https://someplace.pkgs.visualstudio.com/_packaging/somewhere/pypi/
poetry config http-basic.someplace someuser $(personal-access-token)
Problem
I am using Gradle and have my repository configurations, which require credentials. When I hardcode the username and password, everything works. When I try to store those same credentials in gradle.properties it doesn't.
Background
The repository declarations in my build.gradle file essentially looks like this:
repositories {
maven {
url 'https://artifactory.example.com/libs/'
credentials {
username "myUsername"
password "myPassword"
}
}
}
Everything works great and I can connect to my repository.
What isn't working
As you can see above, the username and password is hardcoded. I want to make it configurable, so I follow the advice in this question add the following properties to gradle.properties.
storedUsername = "myUsername"
storedPassword = "myPassword"
I then modify the build.gradle file to refer to those properties:
repositories {
maven {
url 'https://artifactory.example.com/libs/'
credentials {
username project.storedUsername
password project.storedPassword
}
}
}
However, I am suddenly unable to connect to my repository. When I check my server (Artifactory) logs, I am told that access was denied to a user without a name.
Both files are in the root directory as siblings. I've added println "Username: ${project.repoUsername}" to the repositories{} block, as well as both the configurations {} and dependencies{} blocks. They all correctly return the values they should.
I suspect this may be a scoping issue, but I can't figure out where it is. What can I do to have both repositories in an external file and credentials in gradle.properties?
The configuration is correct, but the issue is with gradle.properties. It is currently configured this way:
storedUsername = "myUsername"
storedPassword = "myPassword"
The issue is with the quotes. You don't have to surround the values on the right side of the equal signs as a string, so the quotes are treated as literals. In other words, the username you are sending to the server isn't myUsername but instead is "myUsername", which presumably does not exist on the server.
Deleting the quotes will solve this issue:
storedUsername = myUsername
storedPassword = myPassword
I have a fairly complex Gradle build process, one step of which requires communication with a service, for which I need a special token file. I can generate this token file just fine manually, but I'd like to add it to my build so that, if the token file is not present, the user is prompted for their credentials.
I have referenced the following blog post about this: https://www.timroes.de/2014/01/19/using-password-prompts-with-gradle-build-files/, but it is missing a small detail for me. I do not want to unconditionally prompt the user for their credentials; I only want to prompt them if the token file needs to be created.
Let's say I have the following task:
task createToken(type: Exec) {
dependsOn userCredentialPrompt
outputs.file 'creds.token'
environment 'USERNAME', project.username
environment 'PASSWORD', project.password
executable './create_token_file'
}
task somethingRequiringToken {
dependsOn: createToken
inputs.file 'creds.token'
// Other task-specific configuration here.
}
And the userCredentialPrompt task is one that prompts the user for their credentials and assigns the project.username and project.password to the correct values (using logic like the linked blog post above).
The problem here is that both the username and password are null. I'm pretty sure I understand the reason why. They're set at configuration time, but the prompt for user credentials takes place at execution time. That said, I don't know the right way to get Gradle to behave so that the following happens:
When somethingRequiringToken is executed, if the creds.token file is missing, it runs createToken.
When somethingRequiringToken is executed, if the creds.token file is present, the createToken task is not executed.
When createToken is executed, the user is prompted for their credentials.
When the user credentials are acquired, they are passed (reasonably securely) to an external executable that generates the creds.token file.
node 0.2.6 way:
var credentials = crypto.createCredentials({ "key": SSLKey, "cert": SSLCert, "ca": Ca, "password": SSLKeyPass })
var client = http.createClient(apiPort, host, true, credentials)
node 0.4 way:
var options = {
host: apiHost,
port: apiPort,
method: 'GET',
path: uri,
headers: {host: host},
key:SSLKey,
cert:SSLCert,
ca:Ca,
password:SSLKeyPass
}
var request = https.request(options, function (response) {
As you can see there is a password needed, I don't know where the password is supposed to go in node 0.4.
Where does SSLKeyPass go on node 0.4?
So even in the node 0.2.6 source code, the crypto.js module is not looking for a password property in the object you pass to createCredentials. Here's the createCredentials source from node 0.2.6. In version 0.4.8 there is still no mention of the word password in the crypto.js module. Did your 0.2.6 code really work?
As a general comment, use openssl to decrypt your private key, keep that secured on disk, and have your node code read that file. This seems to be the most commonly used option. The other options being A) have to manually type the passphrase to decrypt your private key whenever you launch your node server (pretty much nobody does this) or B) keep your cleartext passphrase on disk, which is not any different that just keeping the cleartext private key on disk, so AFAIK this is also a very uncommon solution to the problem of private key security.
You can decrypt your private key with the openssl command line like this:
openssl rsa -in your_encrypted_private.ekey -out your_private.key
openssl will prompt your for the passphrase interactively.
For the record, you can provide a passphrase when creating a Credentials object in Node.js. This section of Node.js documentation on the crypto module states that the passphrase option can be provided, for either the private key or PFX file. You do not have to keep your private key in clear text on disk somewhere for Node.