Not able to persist ACL users in ACL file in Redis - redis

I am facing a peculiar issue.
In my redis.conf file, at first I enable a password authentication by setting:
requirepass admin
When I connect to Redis via CLI, I am required to authenticate myself before continuing any operation, so all good so far:
127.0.0.1:6379> get name
(error) NOAUTH Authentication required.
127.0.0.1:6379> auth admin
OK
127.0.0.1:6379> get name
"sahay"
Now, I try to create a ACL user by running:
127.0.0.1:6379> acl setuser nonadminuser on >generalpassword +#all -#dangerous ~*
OK
So far so good, now I want to persist this new user to a ACL file, so I run:
127.0.0.1:6379> acl save
(error) ERR This Redis instance is not configured to use an ACL file. You may want to specify users via the ACL SETUSER command and then issue a CONFIG REWRITE (assuming you have a Redis configuration file set) in order to store users in the Redis configuration.
This is also OK, since I have not set any configuration of aclfile in my redis.conf.
So, I stop my redis server and add this line in my redis.conf file:
aclfile /Ankit/redis_installation/redis-stable/acl_users.acl
I also create a acl_users.acl file in the above mentioned directory, because without it Redis throws an error that no such file exists.
Now comes the peculiar part. When I start redis, and connect to it via CLI, it doesn't ask me to authenticate! Even though
requirepass admin
is set in the redis.conf file. In fact, it throws error when I try to run a password.
127.0.0.1:6379> get name
"sahay"
127.0.0.1:6379> auth admin
(error) ERR AUTH <password> called without any password configured for the default user. Are you sure your configuration is correct?
Also, when I do an ACL save now (after creating the new user), that new user is created and persisted in acl file but the strange thing is default user is stored with "nopass"
Why is default user configured as nopass even when config file has a requirepass clause?

requirepass is not compatible with ACL feature. If you config with ACL rules, requirepass is ignored. That's why you can operate Redis as the default user without sending auth command.
With ACL feature, you need to explicitly set a rule for default user.
user default on +#all ~* >password

Related

How to set password for redis-server

I have a 3-instance high availability redis deployed. On each server I have redis and sentinel installed. I am trying to set a password
so that it requests it at the moment of entering with the command "redis-cli".
I am modifying the value of the "requirepass" parameter of the "redis.conf" file.
requirepass password123
Also inside the redis terminal, I am setting the password with the following commands
config set requirepass password123
auth password123
When I connect with the following command
redis-cli --tls --cert /<path>/redis.crt --key /<path>/redis.key --cacert /<path>/ca.crt -a password123
It works fine, my problem is when I restart the redis service, for some reason the password settings are not kept and I get the following message
Warning: AUTH failed
I do not know what configuration I need to do so that the change is maintained after restarting the redis service.
The version of redis that I have installed is "Redis server v=6.0.6"
Check your ACL configuration,Your requirepass configuration will be ignored with ACL operation. I get follow infomation from redis.conf example file.
IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatibility
layer on top of the new ACL system. The option effect will be just setting
the password for the default user. Clients will still authenticate using
AUTH as usually, or more explicitly with AUTH default
if they follow the new protocol: both will work.
The requirepass is not compatable with aclfile option and the ACL LOAD
command, these will cause requirepass to be ignored.
config rewrite
This command will solve your issue of nopass after restart.
After setting the requirepass from redis cli.

redis snapshot location not as specified in config

After running fine for a while, I am getting write error on my redis instance:
(error) MISCONF Redis is configured to save RDB snapshots, but it is currently not able to persist on disk. Commands that may modify the data set are disabled, because this instance is configured to report errors during writes if RDB snapshotting fails (stop-writes-on-bgsave-error option). Please check the Redis logs for details about the RDB error.
In the log I see:
9948:C 22 Mar 20:49:32.241 # Failed opening the RDB file root (in server root dir /var/spool/cron) for saving: Read-only file system
However, my redis config file is /etc/redis/redis.conf as confirmed by:
redis-cli -p 6379 info | grep 'config_file'
config_file:/etc/redis/redis.conf
And there I have:
dir /mnt/data/redis
And indeed, there is a snapshot there.
But despite the above, redis now thinks my data directory is
redis-cli -p 6379 CONFIG GET dir
1) "dir"
2) "/var/spool/cron"
Corresponding to the error I was getting as quoted above.
Can anyone tell me why/how my data directory is changing after redis starts, such that it is no longer what is specified in the config file?
So the answer is that the redis server was hacked and the configuration changed, which is very easy to do as it turns out. (I should point out that I had no reason to think it wasn't easy to do. I just assumed security by obscurity was sufficient in this case--wrong. No matter, this was just a playground not any sort of production server).
So don't open your redis port to the world. Use security groups if on AWS to limit access to machines that need it, or use AUTH (which is still not awesome because then all clients need to know the single password which also apparently gets sent in the clear), or have some middleware controlling access.
Hacking redis is easy to do, can compromise your data, and even enable unauthorized SSH access to your server. And that's why you shouldn't highline.

How can I set password for Redis cluster?

I'm trying to set password for my Redis cluster (3 masters, 3 slaves).
I have changed the /etc/redis/redis.conf configuration file on "requirepass" field, but when I log into the cluster i didn't get an error message (telling me to use password).
so, How can I set password for my Redis cluster?
thank you
Setting a slave to authenticate to a master
If your master has a password via requirepass, it's trivial to configure the slave to use that password in all sync operations.
To do it on a running instance, use redis-cli and type:
config set masterauth <password>
To set it permanently, add this to your config file:
masterauth <password>
Full info in: https://redis.io/topics/replication

Can't access Coturn web interface

I have a running coturn instance on Centos-7-x64, if I access it through the browser I can see:
TURN Server
use https connection for the admin session
After examining the documentation, I found this:
Add the admin user(s) to the database, with turnadmin utility. If you added those users, then they will be able to connect to the TURN server ports over HTTPS from your browser and perform admin tasks with the web interface.
So I created an admin user with the following command:
$ sudo bin/turnadmin -A -u username -p password
And I can see that user listed when running:
turnadmin -L
However, when I try to connect to https://my.ip.adrss:3478 I can't see the promised admin.
What am I missing here?
You need to configure TLS. For this, you can start the server with the following flags (taken from documentation)
--cert Certificate file, PEM format. Same file
search rules applied as for the configuration
file. If both --no-tls and --no-dtls options
are specified, then this parameter is not needed.
Default value is turn_server_cert.pem.
--pkey Private key file, PEM format. Same file
search rules applied as for the configuration
file. If both --no-tls and --no-dtls options
are specified, then this parameter is not needed.
Default value is turn_server_pkey.pem.
You'll need to specify the path to each file. You can find the file with find / -name turn_server_*.pem -type f, if you want to use the ones that the package comes with. Otherwise, you can point to your own files. I think they are located in /etc/turn_server_cert.pem and /etc/turn_server_pkey.pem

SSH to AWS Instance without key pairs

1: Is there a way to log in to an AWS instance without using key pairs? I want to set up a couple of sites/users on a single instance. However, I don't want to give out key pairs for clients to log in.
2: What's the easiest way to set up hosting sites/users in 1 AWS instance with different domains pointing to separate directories?
Answer to Question 1
Here's what I did on a Ubuntu EC2:
A) Login as root using the keypairs
B) Setup the necessary users and their passwords with
# sudo adduser USERNAME
# sudo passwd USERNAME
C) Edit /etc/ssh/sshd_config setting
For a valid user to login with no key
PasswordAuthentication yes
Also want root to login also with no key
PermitRootLogin yes
D) Restart the ssh daemon with
# sudo service ssh restart
just change ssh to sshd if you are using centOS
Now you can login into your ec2 instance without key pairs.
1) You should be able to change the ssh configuration (on Ubuntu this is typically in /etc/ssh or /etc/sshd) and re-enable password logins.
2) There's nothing really AWS specific about this - Apache can handle VHOSTS (virtual hosts) out-of-the-box - allowing you to specify that a certain domain is served from a certain directory. I'd Google that for more info on the specifics.
I came here through Google looking for an answer to how to setup cloud init to not disable PasswordAuthentication on AWS. Both the answers don't address the issue. Without it, if you create an AMI then on instance initialization cloud init will again disable this option.
The correct method to do this, is instead of manually changing sshd_config you need to correct the setting for cloud init (Open source tool used to configure an instance during provisioning. Read more at: https://cloudinit.readthedocs.org/en/latest/). The configuration file for cloud init is found at:
/etc/cloud/cloud.cfg
This file is used for setting up a lot of the configuration used by cloud init. Read through this file for examples of items you can configure on cloud-init. This includes items like default username on a newly created instance)
To enable or disable password login over SSH you need to change the value for the parameter ssh_pwauth. After changing the parameter ssh_pwauth from 0 to 1 in the file /etc/cloud/cloud.cfg bake an AMI. If you launch from this newly baked AMI it will have password authentication enabled after provisioning.
You can confirm this by checking the value of the PasswordAuthentication in the ssh config as mentioned in the other answers.
Recently, AWS added a feature called Sessions Manager to the Systems Manager service that allows one to SSH into an instance without needing to setup a private key or opening up port 22. I believe authentication is done with IAM and optionally MFA.
You can find out more about it here:
https://aws.amazon.com/blogs/aws/new-session-manager/
su - root
Goto /etc/ssh/sshd_config
vi sshd_config
Authentication:
PermitRootLogin yes
To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes
:x!
Then restart ssh service
root#cloudera2:/etc/ssh# service ssh restart
ssh stop/waiting
ssh start/running, process 10978
Now goto sudoers files (/etc/sudoers).
User privilege specification
root ALL=(ALL)NOPASSWD:ALL
yourinstanceuser ALL=(ALL)NOPASSWD:ALL / This is the user by which you are launching instance.
AWS added a new feature to connect to instance without any open port, the AWS SSM Session Manager.
https://aws.amazon.com/blogs/aws/new-session-manager/
I've created a neat SSH ProxyCommand script that temporary adds your public ssh key to target instance during connection to target instance. The nice thing about this is you will connect without the need to add the ssh(22) port to your security groups, because the ssh connection is tunneled through ssm session manager.
AWS SSM SSH ProxyComand -> https://gist.github.com/qoomon/fcf2c85194c55aee34b78ddcaa9e83a1
Amazon added EC2 Instance Connect.
There is an official script to automate the process https://pypi.org/project/ec2instanceconnectcli/
pip install ec2instanceconnectcli
Then just
mssh <instance id>