I want to deploy nginx with basic auth via: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
I'm in the process of using helm to generate a htpasswd hash, I want to use the following template function htpasswd: https://helm.sh/docs/chart_template_guide/function_list/#cryptographic-and-security-functions
My template is as follow:
{{- $passwd := (htpasswd "foo" "bar") -}}
apiVersion: v1
kind: Secret
metadata:
name: htpasswd
namespace: default
type: Opaque
stringData:
htpasswd: {{ $passwd }}
However when I try to authenticate via nginx i get the following error:
*13 crypt_r() failed (22: Invalid argument)
Does this mean nginx doesn't support bcrypt hash password? Is there a way around this so I can still use helm templates. Can i provide a custom htpasswd function?
Nginx does not have an internal implementation of the bcrypt algorithm. Actually, the only one algorithm implemented by nginx itself is the apache apr1 MD5 version (read this nginx trac ticket), for everything else it relies on a system libc library crypt implementation. Only a few Linux distributions shipped with the tweaked glibc version that has bcrypt support; Alpine Linux is one of the examples. You can check this issue of docker-nginx image, especially this comment, or this one of the ingress-nginx.
Unfortunately I don't have an answer is there a way to provide a custom crypt function using helm. I think helm developers should consider to add at least SHA-256/SHA-512 hashing functions. Too sad there is so many software thinking the world of web servers is limited to apache.
TL;DR
The default POSIX crypt function implementation uses a 56 bit DES, which is definitely too week nowadays and not something anybody should rely on. However GNU glibc library implements some extensions:
The glibc version of this function supports additional encryption algorithms.
If salt is a character string starting with the characters $id$ followed by a string optionally terminated by $, then the result has the form:
$id$salt$encrypted
id identifies the encryption method used instead of DES and this then determines how the rest of the password string is interpreted. The following values of id are supported:
ID
Method
1
MD5
2a
Blowfish (not in mainline glibc; added in some Linux distributions)
5
SHA-256 (since glibc 2.7)
6
SHA-512 (since glibc 2.7)
Thus, $5$salt$encrypted and $6$salt$encrypted contain the password encrypted with, respectively, functions based on SHA-256 and SHA-512.
salt stands for the up to 16 characters following $id$ in the salt. The encrypted part of the password string is the actual computed password. The size of this string is fixed:
Hash function
Length
MD5
22 characters
SHA-256
43 characters
SHA-512
86 characters
The characters in salt and encrypted are drawn from the set [a-zA-Z0-9./]. In the MD5 and SHA implementations the entire key is significant (instead of only the first 8 bytes in DES).
Since glibc 2.7, the SHA-256 and SHA-512 implementations support a user-supplied number of hashing rounds, defaulting to 5000. If the $id$ characters in the salt are followed by rounds=xxx$, where xxx is an integer, then the result has the form
$id$rounds=yyy$salt$encrypted
where yyy is the number of hashing rounds actually used. The number of rounds actually used is 1000 if xxx is less than 1000, 999999999 if xxx is greater than 999999999, and is equal to xxx otherwise.
So, why the glibc doesn't have a Blowfish (bcrypt) support by default? There is a long read from Red Hat. In short, bcrypt considered to have no benefits over SHA-256 or SHA-512 functions using enough hashing rounds. I'm not a cryptographic expert, nevertheless the article seems reasonable to me. For my own purposes, to not be stucked with the weak apache MD5 1000 hashing rounds algorithm, I wrote a script that I'm using to generate passwords based on the SHA-512 default (5000) hashing rounds function, maybe someone will find it useful:
#!/usr/bin/python
import sys, random, string;
from getpass import getpass;
from crypt import crypt;
if len(sys.argv) > 1:
username = sys.argv[1];
if len(sys.argv) > 2:
password = sys.argv[2];
else:
password = getpass('Enter password: ');
confirm = getpass('Re-enter password: ');
if password != confirm:
sys.stderr.write('Passwords mismatch!\n');
exit(1);
random.seed();
salt = ''.join(random.sample(string.ascii_letters + string.digits + './', 8));
print('%s:%s' % (username, crypt(password, '$6$%s$' % salt)));
else:
sys.stderr.write('Usage: htpasswd.py <username> [<password>]\n');
This one was written to be used on a CentOS 7 (shipped with Python 2.7) and may or may not require some modifications to be used with Python 3. It can be easily tweaked to use more hashing rounds replacing $6$%s$ with lets say $6$rounds=10000$%s$ (to use 10000 hashing rounds instead) and so on.
Related
I have a hash file from the image, my device is Surface Pro BitLocker encrypted image
Recovery Key hash #0:
$bitlocker$2$16$57debb77a3b130a92397f8c063049274$1048576$12$20cfa3155178d70198020000$60$ad91090585684fe3da68e053c0cbfdaae24e8bd5c6b50978790b964d3b2a808c3394a833c690cc9c99c0364d9df1fac40bdcadcd2b987a7d780bfdc3
when I run
hashcat.exe -m 22100 bitlocker.txt rockyou.txt
I get an error
Hashfile 'bitlocker.txt' on line 1 ($bitlo...9df1fac40bdcadcd2b987a7d780bfdc3): Salt-value exception
No hashes loaded.
Note also that Hashcat only supports $bitlocker$1$...
You should try to extract a $1 hash ... alternatively it should work with bitcracker
I observe a strange situation in Windows 10 with XAMPP Control Panel v3.2.4
Terminal window is launched and connected to Mysql DB.
Note: prior in terminal window issued command 'chcp 65001' to support UTF8 encoding.
Now when I attempt to update some table with value which is in Cyrillic then MySQL complains about not closed quote symbol. If I replace Cyrillic input to English then command is accepted.
MariaDB [youtube]> update episodes set name='Катя' where id=11;
'>
If I attempt to insert a new record into DB same situation happens
MariaDB [youtube]> insert into episodes (youtube_id,series_id,season,episode,name) values (12345678904,1,0,1,'Катя');
'>
If double quotes are used situation is the same
MariaDB [youtube]> insert into episodes (youtube_id,series_id,season,episode,title) values (12345678904,1,0,1,"Катя");
">
What a magic touch required to make it work through terminal window?
Update:
John suggested to look into configuration file of MariaDB for UTF8 settings.
The settings was changed to the following and the problem still persists
# The MySQL server
default-character-set=utf8mb4
[mysqld]
init-connect=\'SET NAMES utf8\'
character_set_server=utf8
collation_server=utf8_unicode_ci
skip-character-set-client-handshake
character_sets-dir="C:/bin/XAMPP/App/xampp/mysql/share/charsets"
Initially settings was
# The MySQL server
default-character-set=utf8mb4
[mysqld]
character-set-server=utf8mb4
collation-server=utf8mb4_general_ci
Server status report
MariaDB [youtube]> \s
--------------
mysql Ver 15.1 Distrib 10.4.10-MariaDB, for Win64 (AMD64), source revision c24ec3cece6d8bf70dac7519b6fd397c464f7a82
Connection id: 17
Current database: youtube
Current user: root#localhost
SSL: Not in use
Using delimiter: ;
Server: MariaDB
Server version: 10.4.10-MariaDB mariadb.org binary distribution
Protocol version: 10
Connection: localhost via TCP/IP
Server characterset: utf8
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
TCP port: 3306
Uptime: 11 min 12 sec
Threads: 7 Questions: 59 Slow queries: 0 Opens: 22 Flush tables: 1 Open tables: 16 Queries per second avg: 0.087
--------------
MariaDB Documentation has reference to an option --default-character-set=name.
An attempt to use --default-character-set=utf8mb4 on command line had no effect on behavior of insert/update record in terminal client.
mysql -u root -p --default-character-set=utf8mb4 youtube
....
MariaDB [youtube]> update episodes set title='Катя' where id=11;
'>
I highly recommend getting a copy of the freeware program HeidiSQL. It's not perfect and even crashes occasionally though compared to everything else I've worked with? Oh boy, totally worth my time.
Secondly you want to make sure that you're using the following:
Database Character Set: utf8mb4
Database Collation: utf8mb4_unicode_520_ci
These have the greatest UTF-8 support from what I've read from Stackoverflow member Rick James, via his website. He's a database superstar here on SO so if you ever hire him dump buckets of money on his face. His site has a comparison chart. In fact it's been a while and 520 might have been superseded since I last checked.
To set/change the Database Character Set you will need to change the my.cnf configuration file for MariaDB, I recommend using Notepad++ for code editing. This should make any newly created databases use the correct encoding however you may have to go through and manually update the character sets and collations for databases, tables and table columns so do not forget to be thorough!
[client]
default-character-set = utf8mb4
[mysqld]
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_520_ci
Once you do that your queries with Russian/Greek/etc should work normally as they do with English. Keyword: should.
Since I only speak two languages (English and bad English) I encode all characters past a certain Unicode numeric point just to be certain. It'll take up a bit more space however there are sometimes characters added for languages to Unicode after the majority of the language has been defined thus potentially fragmenting language support. If you're interested comment and I'll go find that code for you.
I'm at a moderate level of comprehension and I'm no Rick James though I have about two or three dozen translation pages (use the search feature and search for 'translation') on the site in my profile if you want to see the output. After I did these things I stopped having the data get corrupted. I hope this helps!
I'm trying to automate centos installs via PXE and kickstart with encrypted filesystems. In case we mislay the passphrase we want to use escrow files and encrypt them using the public key attached to an x509 certificate obtained from a web server. The relevant line in the kickstart file is
logvol /home --fstype ext4 --name=lv02 --vgname=vg01 --size=1 --grow --encrypted --escrowcert=http://10.0.2.2:8080/escrow.crt --passphrase=XXXX --backuppassphrase
Leaving the cert as PEM encoded on the web server rather than DER doesn't seem to matter, either work up to a point.
The filesystem is created and encrypted using the supplied passphrase and can be opened on reboot with no issues. Two escrow files are produced as expected and if by using the NSS database containing the private key and the first escrow file I obtain what I think is the passphrase but it doesn't unlock the disk. For example:
# volume_key --secrets -d /tmp/nss e04a93fc-555b-430b-a962-1cdf921e320f-escrow
Data encryption key:<span class="whitespace other" title="Tab">»</span>817E65AC37C1EC802E3663322BFE818D47BDD477678482E78986C25731B343C221CC1D2505EA8D76FBB50C5C5E98B28CAD440349DC0842407B46B8F116E50B34
I assume the string from 817 to B34 is the passphrase but using it in a cryptsetup command does not work.
[root#mypxetest ~]# cryptsetup -v status home
/dev/mapper/home is inactive.
Command failed with code 19.
[root#mypxetest ~]# cryptsetup luksOpen /dev/rootvg01/lv02 home
Enter passphrase for /dev/rootvg01/lv02:
No key available with this passphrase.
Enter passphrase for /dev/rootvg01/lv02:
When prompted I paste in the long numeric string but get the No key available message. However if I use the passphrase specified in the kickstart file or the backup escrow file the disk unlocks.
# volume_key --secrets -d /tmp/nss e04a93fc-555b-430b-a962-1cdf921e320f-escrow-backup-passphrase
Passphrase:<span class="whitespace other" title="Tab">»</span>QII.q-ImgpN-0oy0Y-RC5qa
Then using the string QII.q-ImgpN-0oy0Y-RC5qa in the crypsetup command works.
Has anyone any idea what I'm missing? Why don't both escrow files work?
I've done some more reading and the file ending in escrow is not an alternative passphrase for the luks volume but it contains the encryption key which is encrypted of course. When decrypted the long string is the encryption key and there's a clue in the rest of the text which I confess I didn't read very well.
I've setup a dual boot so I have windows 10 and ubuntu.
Following steps on this page I'm able to retrieve the lockout password and the owner password of my TPM in the windows 10 registry. Result looks like this :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Admin
OwnerAuthStatus REG_DWORD 0x1
LastAuthLevel REG_DWORD 0x4
OwnerAuthFull REG_SZ iTcW8t1B+tIKmP/uxXPL94QF2Jw=
LockoutHash REG_SZ Ki1RiIu8d+eqeDoEFYcAqIoi1n4=
SRKPub REG_BINARY A3FEFDE6DBAA425D24717422C46C7E9C85C433CB
StorageOwnerAuth REG_SZ
TPMCleared REG_DWORD 0x0
OwnerAuthFull and LockoutHash are both base64 encoded so I can decode them using this link for instance (it give 893716F2DD41FAD20A98FFEEC573CBF78405D89C in hexa for the owner password).
After that booting on the ubuntu I'm trying to interact with the TPM using these passwords. I'm using tpm2-tools to interact with the TPM under ubuntu.
Tpm2-tools works pretty well when the linux controls the TPM and sets up these passwords. But here I'm trying to let Windows have control of the TPM and still be able to communicate with it under Ubuntu. For instance when I run these commands (which works when ubuntu controls the TPM).
$ tpm2_createprimary --hierarchy e -g sha256 -G rsa -C primary.ctx
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt
raw: 0x30072
$ tpm2_create -g sha256 -G rsa -u key.pub -r key.priv -c primary.ctx
algorithm:
value: sha256
raw: 0xb
attributes:
value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign
raw: 0x60072
type:
value: rsa
raw: 0x1
rsa: d14e5b7473972e4430b780dff0ec31a3a021fa0049ea1bafc17e2de4e232cba3afcdd8504c9f7dc2fa57df04ec1f64759f6bb0d8563c1ac53a7ce8d563ab7437f1f4b760960acfde7c414355c371ac8c94bba0e004bb08b499f115ba5e8efd655174c87309d64a23e198f6fce8e5451a851b7e96f7c172ba3d4be8e339176d136752e5d038ad9979585008e35bdedfdabe3236b92c60d5c4eabcafaabc8c65401aab5b479d8471d20ca18631c31404b38f3d373b5612ca906599914865cf281e550a748685fed4d60a7aa9c955d374c1d0852bb36ce9d39209e66fada20e4c473765160988470e93b63d81361613e3f5b918da167048ff8afe5e74768544fe03
$ tpm2_load -c primary.ctx -u key.pub -r key.priv -n key.name -C key.ctx
Load succ.
LoadedHandle: 0x80000100
$ tpm2_evictcontrol --auth o -c key.ctx --persistent 0x81010003 -P hex:893716F2DD41FAD20A98FFEEC573CBF78405D89C
persistentHandle: 0x81010003
ERROR: Tss2_Sys_EvictControl(0x9A2) - tpm:session(1):authorization failure without DA implications
I get ERROR: Tss2_Sys_EvictControl(0x9A2) - tpm:session(1):authorization failure without DA implications.
Does anybody knows why I get this error / why this password doesn't work? Where could I get the right password ? Well any pointer on how to solve this problem is appreciated!
Thx!
I think I got my answer, in fact Windows make a sha1 hash of the password then converts it to base64 and then stores it in the registry if gpedit is configured like so :
https://msdn.microsoft.com/en-us/library/windows/desktop/aa376421(v=vs.85).aspx
b3nj1's answer is incorrect. Using the --auth o option for tpm2_evictcontrol means you're selecting the TPM's owner control domain (note that is true in Feb 2018 when the question was posted, --auth means something else now) which requires owner authorization. OwnerAuthFull and LockoutHash are indeed generated as described in b3nj1's answer, but OwnerAuthFull stores the TPM's lockout authorization, while LockoutHash's purpose is unknown.
The base64-decoded value of OwnerAuthFull is the lockout authorization value. This can be verified using tpm2-tools' tpm2_changeauth - the base64-decoded value enables one to successfully change the lockout authorization. You can use the following powershell command to do base64 decoding to hex string:
([System.BitConverter]::ToString([System.Convert]::FromBase64String('stringToConvert'))).Replace('-','')
So what is the owner authorization value in Windows? As per this page: https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings, it is StorageOwnerAuth for b3nj1. From the result quoted in the question, it is just an empty string, meaning the owner authorization value is just a 0-byte buffer. This is the default value. Again, you can verify this using tpm2_changeauth.
Note that the link claims that the lockout authorization for TPM 2.0 is stored in LockoutAuth. This is incorrect. As seen in b3nj1's results above (as well as in my computers), there is StorageOwnerAuth, so it must be a TPM 2.0, but there is no LockoutAuth. Instead there is LockoutHash, but the article makes no mention of this value. Trying to use tpm2_changeauth with LockoutHash to modify any of the owner, endorsement, and lockout authorizations fails, so it is unclear what this value is for.
For the link in Wang's comment to b3nj1's answer, it is incorrect. One can use tpm2_changeauth to verify that the owner and endorsement authorization values in Windows are both empty strings, and lockout authorization is stored in OwnerAuthFull. This means that none of the authorization values controlled by Windows are unknown and/or discarded.
I've raised these issues with the documentation on GitHub and will update if there are any developments.
I'm trying to make a paper based backup of a 4092 bit secret/private PGP key using a QR code generator, but the key is just too big. I'm going to go low tech here and split it into two pieces, but perhaps I don't need to. I know that when exporting the secret key, it also exports the public key embedded within it.
Is there any way to remove the public portion of the key from that file, or prior to exporting, so that the resulting file is only the private key?
I'm not certain the resulting file will be small enough still, but it is worth a shot.
D:\Users\tharding>gpg --edit-key "04EAC14C"
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/04EAC14C created: 2015-02-11 expires: never usage: SCE
trust: unknown validity: unknown
[ unknown] (1). Timothy Harding <hardingt#gmail.com>
gpg> key 1
No subkey with index 1
gpg> delkey
You must select at least one key.
gpg> delkey 0
You must select at least one key.
Update:
From what I can tell, (looking at the ASCII Armored output for both the public key and the private key) it looks like they are structured this way:
Update 2:
Looked at the files again, and this is what I've got, I haven't pulled out a hex editor yet to verify the non armored files, but I've found surprisingly little help online about how these key files are internally structured:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version:
4 header chars ??
1517 pub key chars
4 footer chars ??
-----END PGP PUBLIC KEY BLOCK-----
and
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version:
4 different header chars from pub key ??
700 pub key chars
1772 private key chars (possibly some header/footer to do with the symmetric cipher)
817 pub key chars (same total 1517, exact same ASCII sequence if put together)
4 different footer chars from pub key ??
-----END PGP PRIVATE KEY BLOCK-----
Update 3:
Took a look at the binary pub/private keys and found that:
public key is 1138 bytes
4 unique bytes
1134 bytes found in private key as well
private key is 2467 bytes
4 unique bytes
524 of which are found verbatim in the public key
1329 of which are unique to the private key
38 bytes which are found verbatim in the public key (key name & Email address)
572 bytes which are found verbatim in the public key
There is a program called Paperkey[1], written by David Shaw[2], that extracts only the private key information from an exported OpenPGP private key.
Excerpt from the package description:
extract just the secret information out of OpenPGP secret keys
The Paperkey page has a version already built for Windows 32bit, and provides the source to compile on Linux, Unix, *BSD and OSX.
Paperkey is also available via the package manager on some Linux/BSD distributions.
Example package manager installs -
apt (debian) -
apt-get install paperkey
yum (redhat)
yum install paperkey
pkg (bsd)
pkg install paperkey
ports (bsd)
cd /usr/ports/security/paperkey
make install clean