So I'm trying to authenticate a user who has a password on the LDAP server in the {algorithm}hash format. I try to log the user in like this:
with Connection(server, "<user>", "plaintext-password") as conn:
conn.bind()
print(conn.result)
This returns {'result': 49, 'description': 'invalidCredentials', 'dn': '', 'message': '', 'referrals': None, 'saslCreds': None, 'type': 'bindResponse'}
It gives invalid credentials on bind even though this is the correct plain text version of the password. How do I give the instruction to hash the password to authenticate, because I couldn't find anything on the internet?
Thanks in advance.
So I figured it out.
OpenLDAP by default only supports salted SHA1 for password hashing. But I was trying to do it with salted SHA512.
I'm also aware of slapd-sha2.so for better password hashing, but the container I'm running for OpenLDAP doesn't have that one implemented, so that is also out of the question.
I hope this helps people in the future.
Related
I have to get rid of the clear text password in ActiveMQ server in the jetty-realm.properties file as part of the security requirements of our project.
I followed the procedure for encrypting passwords found here: https://activemq.apache.org/encrypted-passwords.html.
In Jetty-real.properties I replaced plain password with ${activemq.password}
But I could not login into the web console (http://localhost:8161/admin)
Are there additional config parameters I need to change? Any help would be greatly appreciated.
For ecrypt password we can use jetty utility. This can be downloaded from http://download.eclipse.org/jetty/.
use:
java -cp lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password admin admin
admin
OBF:1u2a1toa1w8v1tok1u30
MD5:21232f297a57a5a743894a0e4a801fc3
CRYPT:adpexzg3FUZAk
Add in bus\conf\jetty.xml\jetty-realm.properties
admin: MD5:21232f297a57a5a743894a0e4a801fc3, admin
A very important note: the sequence of data specified by you should be as follows:
org.eclipse.jetty.util.security.Password [username] password
Also note that in some shells (like default on Ubuntu 20.04) the dollar sign inside the password will effectively truncate your password to the part preceding the dollar sign.
(I meant to put a comment to the answer by #dorin.canepa, but clicked on a wrong button and now it's an answer, oh well)
I'm trying to create an extranet user within sitecore but i'm having issues. I'm using the command Membership.CreateUser(username, password, email)
Nothing seems to happen though. No user is created in the extranet aspnetdb. No exceptions are thrown.
I also tried putting the domain as part of the user name: domain\username...and I get the error "You must specify a non-autogenerated machine key to store passwords in encrypted format. Either specify a different passwordFormat, or change the machineKey configuration to use a non-autogenerated decryption key.". My passwordFormat is Encrypted.
Any ideas what i'm doing wrong?
Thanks in advance.
Did you try what the error message suggested? I would try setting your own Machine Key. More about that here. As always, do this in a test/dev environment.
You can use below code -
uname = string.Format(#"{0}{1}", domain, userName);
Membership.CreateUser(uname, password, email);
We use SFTP in our project to transfer files over an SSH connection. This is done through java code. Assuming that if for characters like ?, ! etc we need to give the encoded value in the sftp command, we encoded the password in the code and generated the command. But SFTP isn't working with these encoded password now, it accepts the password directly. What could be the issue. Please help.
Example username: xyz password: abc!
We use URLEncoder to encode the username and password.
String username= URLEncoder.encode(username, "UTF-8");
String password = URLEncoder.encode(password, "UTF-8");
After encoding Our code would generate SFTP command as : sftp://xyz:abc%21#10.9.10.9/home/documents/xyz.txt
But this isn't working, Authentication fails with wrong password. Where as manually if we give command sftp://xyz:abc!#10.9.10.9/home/documents/xyz.txt it works.
Please let us know if we are going wrong.
Thanks in advance.
That's not actually an issue. SFTP is a subsystem of SSH, and SSH creates a secure channel upon client connection (similarly to what SSL does but at layer 7): once the secure and encrypted connection is established, your username and password will be sent to the SSH server inside such connection, therefore there is no need to encode them nor to encrypt them.
The SSH server expects to receive your username/password as they are, not pre-processed nor encoded. And you can do that safely with SFTP for the reason explained here above. So no reason to be worried.
I have a question about how to use md5 and a salt to secure a password, I have already made many searches for answers to my questions.
An article I saw was using c# to convert password to md5 string, something like this:
public static string md5(string <b>sPassword</b>)
{
System.Security.Cryptography.MD5CryptoServiceProvider x = new System.Security.Cryptography.MD5CryptoServiceProvider();
byte[] bs = System.Text.Encoding.UTF8.GetBytes(sPassword);
bs = x.ComputeHash(bs);
System.Text.StringBuilder s = new System.Text.StringBuilder();
foreach (byte b in bs)
{
s.Append(b.ToString("x2").ToLower());
}
return s.ToString();
}
}
My question is the above code seems server side is its mean password traveling over internet in plain text doesn't it create any security issue or it does not matter i don't know (may be i am getting it wrong way or i am not clear about password security concept) ?
What i have done in my project is i am creating a secure password at client side with java script md5.js file and with user's entered password before posting login.aspx form back to server then at server side i am fetching hashed password of user from database(which was stored at the time of registration of user with same technique) and match both client side and server side hashed passwords if they match user authenticated.
i don't know weather i am doing it right way or not please let me know right way if i am wrong .
Now the problem is i want to use SALT with the md5 (md5+salt) to make password more secure with Randomly generated salt string. how to do this should i make a random salt string at server side while page_load of login page and then send it to client side and at client mix this salt with user password before posting form. after post again mix the password(fetched from database) with same random string and match both password to authenticate.
One more question, at the time of registration of a new user, where should originally user entered password convert in md5 at client side or server side if at server side then password should post to server as it is means original password.(like "MyPassword")
Firstly you should be aware that SHA1 is now industry standard, but it's still fine to use Md5 for most things.
Secondly to stop plain text transmitting over the public network, use an HTTPS connection (you may need to purchase a certificate from a recognised vendor).
Also if this is for a user system, consider using ASP.net's membership system. It does this all for you and has been extensively reviewed.
The basic flow of what you describe anyway would be:
User enters password
Server generates random salt
Hashed password = md5(salt + raw password)
Store hashed password and salt along side username, dispose of raw
When user logs in, find the associated salt with the username login is being attempted for.
Is password valid = does md5(salt + entered password) = store hash?
If they do, login
Once they have logged in, it might be a good idea also to regenerate a new salt and hash. Also the md5() should be applied to the password thousands of times before storing to make a dictionary attack uneconomical.
There are plenty of resources out there that go into this in more detail.
Good luck!
I can't figure out how to change the webdav password. I've done some searching, found many resources of how to add a new user to webdav, but nothing about changing password. Anyone know?
Passwords are stored in webdav.htpasswd file.
If you open it, you will see an entry like this
wampp:XAMPP with WebDAV:bc7f2b670e7e965e307feb30492e642e
That's the entry for user wampp: in realm XAMPP with WebDAV: with password which is encrypted.
To change password, you should use htdigest.exe.
See manual. It is used to create and update user authentication files. You should find in the bin directory of xampp installation.
To do that, do :
htdigest.exe "pathto/webdav.htpasswd" "XAMPP with WebDAV" yourusername
This will be returned:
Adding user yourusername in realm "XAMPP with WebDAV"
You will then be asked for the password for yourusername
New password: yourpassword
Re-type new password: yourpassword
Reference: http://www.apachefriends.org/f/viewtopic.php?f=16&t=38897
Replace the content of the file C:\Program Files\xampp\security\htpasswd.webdav with your username, a colon and the password. Note: Everyone who can see this file can see the password!
Assuming you're talking about doing a password change at the server from a client, I don't believe WebDAV supports such a transaction.
You'd use something like a shell logon or a Web-based admin page to do this.
This always struck me as odd for a lot of network services, for example FTP or email. It seems to be common though.