If a data drive is password protected, it can be accessed by a FIPS-compliant computer after the password is supplied, but the drive will be read-only.What is the reason for such a behaviour?
Related
Recently our web hoster (Domainfactory) changed the method to externally access our online mysql database. From simple ssh "port forwarding" to a "unix socks tunnel".
The ssh call looks like this (and it works!):
ssh -N -L 5001:/var/lib/mysql5/mysql5.sock ssh-user#ourdomain.tld
The problem: you have to enter the password every single time.
In the past I used BitVise SSH client to create a profile (which also stores the encrypted password). By simply double-clicking on the profile you'll be automatically logged in.
Unfortunately, neither the "BitVise SSH client" nor "Putty" (plink.exe) supports the "Unix socks tunnel" feature/extension, so I can't use these tools any more.
Does anyone have an idea how to realize an automated login (script, tool, whatever)?.
The employees who access the database must not know the SSH password in any case!
I got a solution. The trick is to generate a SSH Key pair (private and public) on client side (Windows machine) calling 'ssh-keygen'. Important: don't secure the ssh keys with a password (simply press [enter] if you're asked for a password, otherwise you'll be asked for the SSH-Key password every time you try to SSH). Two files will be generated inside 'c:\Users\your_user\.shh\': 'id_rsa' (private key) and 'id_rsa.pub ' (public key).
On server side create a '.shh' directory within your user's home directory. Inside the '.ssh' directory create a simple text file called 'authorized_keys'. Copy the contents of 'id_rsa.pub' into this file (unfortunately 'ssh-copy-id' isn't available yet for Windows. So you have to do the copy and paste stuff on your own.) Set permissions of 'authorized_keys' file to '600'.
Now you should be able to simply SSH into your server by calling 'ssh-user#ourdomain.tld' without entering a password. Create a batch file with your individual ssh-call and you're done.
Thanks to Scott Hanselman for his tutorial: https://www.hanselman.com/blog/how-to-use-windows-10s-builtin-openssh-to-automatically-ssh-into-a-remote-linux-machine
Sorry for my bad English, but if you can help my it will be great.
I have couple of file system over my network and every night I need to take one file from another file system to mine.
for that to happen i'm using a Batch script how mapping me the drive with net use command.
my problem is that i don't want the password will go through clear text
( To see my password or to sniff it).
my questions is :
there is any way that i can encrypt my password and still login with the same credentials.
Thank You
If you can set up a Domain controller using either one of your Windows machines, or Samba, then you could use Trusted authentication based on the user executing the scheduled job that executes the batch file.
Alternately, you could encrypt the password and have a program decrypt it and execute the net use, but you're always* going to be faced with the fact that if your computer can send the password out when you don't type it in, then your computer knows your password, and anyone with physical access to that computer can get your password.
*Unless your computer doesn't know the password, and instead relies on an HSM (Hardware Security Module).
I had the same thing but found a nice workaround.
The passwords are not stored in DOS so I went from the run menu and simply typed the name of the path like "\server\files".
When it asked for credentials I ticked the checkbox "Save credentials"
The password will then be stored in your Windows Credential Manager (control panel) and this way your dos batch file fwill always now the password.
In helping out a friend with a few questions for CS, I came across one that I had no prior experience with and was hoping someone would be able to clarify the difference between NTFS and File Share for me.
To help, the question we faced was:
A folder storing a faculty member’s personal documents are set as a share to which everyone has full access. The only person with NTFS permissions on the folder is said faculty member. Can everyone else access the documents?
I appreciate any clarification you can provide. I'd love your help in learning about this!
Short answer: No.
In Windows each file and directory has an ACL controlling access to it.
Each file share also has an ACL controlling access to the share.
When you access a remote file through a share you are doing so using the credentials used to login to the local computer. (You can connect using different credentials by entering a username/password when connecting).
The remote computer tests the supplied credentials against the ACL on the share.
Once you are past that, then every file you attempt to access on the remote machine through this connection will be checked using your credentials against the ACL on the file and the share. This allows a file share to offer more restricted access to some files than if the same user were attempt to access them locally. (So you could share files as read-only, even if the ACLs on the files themselves would allow that user write access).
If the file share is of a FAT file system then the only ACL checking that is done is against the file share itself because FAT doesn't support ACLs.
When computer are not in a domain and all user accounts are local user accounts then permissions are maybe not what you expect. Unlike Unix/linux, it is generally not possible to create the same user account (uid) on two computers because Windows basically uses a GUID for the UID (a big random number). So when you attempt to look at file owner or ACL information on remote files, since those files are all owned by local accounts on the remote computer, to your local computer those UID will not be recognized (See dir/q from the command line).
Windows can be setup to make non-domain file sharing a little easier. It can be set so that when you attempt to access the remote file share, as long as the remote computer has an account with the same username and password as the local computer, then the connection is allowed -- and you are logged into the remote computer using the remote computer users account.
For reference, see information on NTLM, SMB and NETBIOS.
I know that a website can have some vulnerabilities that hackers could use even though the admin tries his/her best to make their website very secure. I want to make my website secure and by doing that I need to try my best to do so. First way to make it secure is to ask questions and below are the specific questions I want to ask.
These are my specific questions:
1. Can a hacker access my website's .htaccess file? And if so, can they edit it?
2. Can a hacker get my SSH root password even if the SSH password is 18+ characters long?
3. Can a hacker get my FTP username and password even if the FTP password is 18+ characters long?
4. Is SSH more secure than FTP?
NOTE: The below is just a general information which probably doesn't cover half of the subject, there are tons of things you need to make sure of but the below should give you a rough idea.
Can a hacker access my website's .htaccess file?
Yes, some scenarios this could happen:
If you configure wrong your httpd.conf allowing people to visite .ht* pages which is by default forbidden on the httpd.conf
If your server is meant for hosting and you or your users don't properly apply permission to their files so they are accessible within other accounts.
If your webserver don't deploy user and group protection to accounts
If accounts are not rooted to their folders.
And if so, can they edit it?
Yes and no, just accessing the file from a browser will not grant them access to edit it, however in some cases it may be possible for instance:
If one of your codes PHP, perl, etc have vulnerabilities then yes it may be possible
As mentioned early if your websever does not deploy per account user and group then others account will have access to the files from another account
If the permission set on the .htaccess file is for instance 777 which allows ANYONE to manipulate that file it will be editable and readable from others account.
Can a hacker get my SSH root password even if the SSH password is 18+ characters long?
Brute force is not the only way to grab someone's password, if your computer has been compromised, if your services are not up to date with the newest exploits and more, it's also possible to get your password.
The most common way to protect against this would be to make your SSH password-less, basically you will deny direct access to root, block any access using password and will only grant access to authorized keys that are generated from a pair of keys.
This key would allow you access to a pre-defined account that have that key allowed to be logged as.
From that account you've logged as, you can either use sudo to run commands as root or su - to switch the current account to root.
Change the SSH port to some other port.
Use your firewall to prevent and catch brute force attempts on certain ports and block it.
Use your firewall to allow only your IP to access the server if your IP is static.
Use your firewall to block access to unused ports of service that do not require external access for example if you do not offer MySQL remote access you can block access to the port 3306 as well as configuring your MySQL server to bind on the localhost only.
Can a hacker get my FTP username and password even if the FTP password is 18+ characters long?
Brute force is not the only way to grab someone's password, if your computer has been compromised, if your services are not up to date with the newest exploits and more, it's also possible to get your password.
Is SSH more secure than FTP?
They are different protocols and serve to different purpose and they can be equality insecure or equality secure it all depends on the System Administrator to keep it up to date and secure.
I have a whole series of commands that I need to run on login, many of which require root privileges. So, to save a few steps I put them all into one apple script so I wouldn't have to open the terminal.
But still, I'd like to be able to do this without entering my password at all (I like to boot my machine early AM while I'm still sleeping). So I thought, why not just store my admin password in the keychain and have the script access that key.
But this just feels wrong, storing the admin password in keychain...
So, what are your thoughts? Is this an acceptable method of giving my program permission? If applescript isn't secure enough, I could easily do this with a simple cocoa app.
I do this myself. I store admin passwords for other computers so I can auto-mount shares over my lan using applescript scripts. In my opinion, if the keychain is secure enough to hold any password then it must be secure enough to hold all passwords. The password is never displayed in the clear so I don't see a problem.
Of course there's always a security risk when someone has direct access to your computer. They can run an applescript to pull your password out of the Keychain if they know the name of the key where it is stored and they are accessing the keychain from your admin account. But if someone has that much access then your computer isn't safe anyway.