Is possible to configure OpenLDAP Crypt passwords without using a salt? - ldap

From the docs I got this config that works but use a salt,
password-hash {CRYPT}
password-crypt-salt-format "$6$%.16s"
and I need to store passwords in the LDAP directory that have been generated without salt encryption.

You had better to use another password storage scheme that does not do salting like {SHA} or {MD5} instead of {CRYPT} :
password-hash {SHA}
If using {CRYPT} is a requirement :
You can still provide a static salt (! bad, unsecure, nearly as if no salt !), just comply with the given format:
password-crypt-salt-format "$6$%.16s"
$6$ is the crypt identifier for the SHA512 schema, and we provide a 16-chars long salt :
~$ mkpasswd -m sha-512 --salt 'verybadseasoning' secret1
$6$verybadseasoning$Q2kceqwB2uYT2tU./QF.qRCIWjMQdObEAZ71Ni5Ko1zJOnxUwpu3oMeyjtgiR3hSVHIT20Ay9V1.pXaNhkHYk/
~$ mkpasswd -m sha-512 --salt 'verybadseasoning' secret2
$6$verybadseasoning$SHof1u2BCPJhYoVOk.LkWax7n5g28rzMkNCRAC5NmlT29GSeWLAlv2AoSkOS4rYfMUXsmTcyIxKDUU8aL7TlP0
Note that mkpasswd won't allow using an empty salt :
~$ mkpasswd -m sha-512 --salt '' secret
Wrong salt length: 0 bytes when 8 <= n <= 16 expected.
Or you can try to make crypt ignore the given/generated salt string whatever it is (by taking zero character from it) :
password-crypt-salt-format "$6$%.0s"
It tells crypt() to use a SHA512 algorithm, the %s being substituted with a string of zero characters of salt (%.0s). I can't tell if slapd makes the %s conversion mandatory or not, but setting just "$6$" without any substitution for salting may do the trick as it means the same (no salt), i.e :
~$ php -r 'print(crypt("secret", "$6$"));'
$6$$2M9DchxW4txWyTYoZrH9D3VvAAQxBpEezYsLY6Cao.jwzEXpyL9xwip9hiUZX7GqTqe/E/z6iKvZqXUuqniQH.
See slapd.conf(5)
Note that a lack of salt exposes your system to dictionary attacks.

You can simply import user entries with existing userPassword values without salt. The password verification will work provided the hash scheme is one supported by your local OpenLDAP installation.
The config directives password-hash and password-crypt-salt-format when setting new passwords.

Related

ssh password replay using ~/.ssh/config

We are currently doing a POC where, ssh-key pairs is not allowed, meaning, we have to use password with strict 90 days password expiration imposed. So, as part of POC, assume the username is "acme", which is, we have to log into "bastion.example.com" host (ssh acme#bastion.example.com), after logging into bastion, again we have to log into target host, yes - from bastion, we run "ssh acme#machine.example.com".
Question mark - using ~/.ssh/config, how do we achieve this especially using "password replay" so that we dont have to provide password twice. With this, we can easily pass the script or command to be executed on the target host (using proxyCommand and remoteCommand).
Please share an example where we can perform "password replay".

Problem running an encrypted singularity container

I've created an encrypted singularity container using the PEM file encryption method (paragraph 3.3 of the documentation). But when I try to run it I get an error message :
FATAL: Invalid encryption private key: asn1: structure error: tags don't match (16 vs {class:1 tag:15 length:112 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey #2
Any hint on what goes wrong ?
Thank you,
Michal
I can think of two issues that could cause the error message: (1) the keypair should be generated with -m pem option to have the pem format and (2) the keypair should not have password protection I dont think it is supported by singularity at this point in time.
The issue lies in an OpenSSH update (version 7.8). Thats why some people have this problem and some don't.
To cite the release notes: write OpenSSH format private keys by default instead of using OpenSSL's PEM format
So the correct command to generate the keys should be ssh-keygen -t rsa -b 4096 -m pem -N "" -f ./rsa
By adding the -m pem you get the key in the correct format.
More here: https://github.com/hpcng/singularity/issues/6007

to makeup username:password pair in .htpasswd file [closed]

Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I have wamp server installed on windows OS
my .htpasswd looks like
username:encryptedpassword
john:gugyjfy6786hgfhfh
but the problem is to make-up encrypted password is never possible by hand so can i create it in text/plain format
Apache provides a command line tool for this. Search for htpasswd file in the bin directory. Passing --help parameter gives you:
Usage:
htpasswd [-cimBdpsDv] [-C cost] passwordfile username
htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password
htpasswd -n[imBdps] [-C cost] username
htpasswd -nb[mBdps] [-C cost] username password
-c Create a new file.
-n Don't update file; display results on stdout.
-b Use the password from the command line rather than prompting for it.
-i Read password from stdin without verification (for script usage).
-m Force MD5 encryption of the password (default).
-B Force bcrypt encryption of the password (very secure).
-C Set the computing time used for the bcrypt algorithm
(higher is more secure but slower, default: 5, valid: 4 to 31).
-d Force CRYPT encryption of the password (8 chars max, insecure).
-s Force SHA encryption of the password (insecure).
-p Do not encrypt the password (plaintext, insecure).
-D Delete the specified user.
-v Verify password for the specified user.
On other systems than Windows and NetWare the '-p' flag will probably not work.
The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
From what I understand, you'd need to execute the command as follows:
htpasswd -bp john
When you press enter after the above command, it'll ask you to type a password which will be stored as text in the htpasswd file.
step 1- go to encrypted password generator
step 2-copy that generated encrypted password from website
step 3-create .htpasswd file in root folder under your domain
step 4-write here your username:encypted password pair
/*for eg- john:paste your encrypted password here (after colon)
john:djfj223dv98vufhhy */

script to ssh to a unix server

It will be helpful if somebody could tell me how to connect to a unix server using username and password as arguments.my username and password is "anitha".
How can i create a shell script which automatically connect to my unix server with this username and password?
I guess you want to remotely connect to your *nix server from network. Base on my guess, to:
connect to remote *nix server, everybody is using SSH
ssh anitha#anitha ip-to-unix-server
automatically connect, write simple bash shell wrap around your ssh connect command and do something, not suggested, you should use ssh password less login (aka public/private key)
#!/usr/bin/env bash
ip=172.16.0.1 #replace 172.16.0.1 with your unix server's ip
username=anitha #your ssh username
password=anitha #your ssh password
command=who #what do you want to do with remote server
arguments= #arguments for your command
expect -c 'spawn ssh $username#$ip ; expect password ; send "$password\n" ; interact'
connect without typing password, you may need to use SSH password less login
Use sshpass if you really need to use non-interactive keyboard-interactive authentication (pun intended) or better switch to using pubkey-based authentication.
Note that passing the password in clear to the ssh client is very lame as the password gets exposed in the publicly-readable process list where it can be read by anyone. sshpass works around this problem by creating a pseudo-terminal and communicating with the ssh client using it, so at least the password is not exposed at runtime.
Step 1:
jsmith#local-host$ [Note: You are on local-host here]
jsmith#local-host$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):[Enter key]
Enter passphrase (empty for no passphrase): [Press enter key]
Enter same passphrase again: [Pess enter key]
Your identification has been saved in /home/jsmith/.ssh/id_rsa.
Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub.
The key fingerprint is:
33:b3:fe:af:95:95:18:11:31:d5:de:96:2f:f2:35:f9 jsmith#local-host
Step 2:
From Local-host, run this One liner for password less ssh connectivity.
cat ~/.ssh/id_dsa.pub | ssh useronanotherserver#anotherservername 'cat >> ~/.ssh/authorized_keys'
You should use expect, which is an extension of tcl that was made specifically for automating login tasks.
Basic ssh login question: could not able to spawn(ssh) using expect
How to interact with the server programattically after you have established the session: Expect Script to Send Different String Outputs

Trying to connect using ssh2_auth_pubkey_file()

I am trying to make a php script that runs on the terminal that would connect to a remote server by ssh and retrieve a file. this is my code so far
#!/usr/bin/php -q
<?php
$cwd = dirname(__FILE__).'/';
$filename = 'retrive-this.file';
$host = 'hostip';
$connection = ssh2_connect($host, 22, array('hostkey'=>'ssh-rsa'));
$methods = ssh2_auth_pubkey_file($connection, 'remoteuser',
$cwd.'ssh/id_rsa.pub',
$cwd.'ssh/id_rsa', "it's an inception");
var_dump($methods);
//ssh2_scp_recv($connection, "/remote/server/path/to/$filename", $cwd.$filename);
?>
for now I am having problems with the ssh2_auth_pubkey_file() function, when I run the script it returns this:
PHP Warning: ssh2_auth_pubkey_file(): Authentication failed for remoteuser using public key in /home/tonyl/Projects/get-file-ssh.php on line 10
bool(false)
The key files have permission -rw-r--r-- (644). Also the public key is already added to the remoteuser's authorized keys. I am able to ssh using the ssh command as normal, so I don't think it is a ssh authorization problem, but who knows. I am new to ssh and the ssh2 php library.
I can connect using ssh2_auth_password() if I enable it in the remote sshd_config file, but I don't want to do that since it decreases security tranfer.
Any ideas of what I can do.
This is a known bug in php: password protected private key cannot be used on certain combinaisons.
See: https://bugs.php.net/bug.php?id=58573
ssh2_auth_pubkey_file() is broken when the public key file is protected with a password AND libssh2 is compiled with libgcrypt, which is what debian/ubuntu and probably others do. I'm working on a solution for this bug, but if you need this working rebuild libssh2 yourself with OpenSSL.
A workaround may be to store the private key unencrypted.
To decrypt the key:
openssl rsa -in id_rsa -out id_rsaNOPASSWORD
and then use the file id_rsaNOPASSWORD without supplying the fifth parameter 'passphrase'.
It works, but you'll have to be careful with your decrypted key file. Anyway, the level of security is not really terribly affected, because even with an encrypted key, you would still need to pass the passphrase unencrypted to the ssh2_auth_pubkey_file function ...
Hope it helps.
this looks like the error right here. FILE is a filepath isn't it? so it looks something like /somedir/somefile.php and all you have done is add a / on the end of .php so I don't think this is really valid. see http://www.php.net/manual/en/language.constants.predefined.php
$cwd = dirname(__FILE__).'/';
also, other people have been having problems with ssh2_auth_pubkey_file
returning false under all conditions. you may want to submit a bug report. I was hoping to use this function. I don't know how to use it because I have no idea how to supply a private key.
I think the code you want is
if (!defined('__DIR__')) {
$iPos = strrpos(__FILE__, "/");
define("__DIR__", substr(__FILE__, 0, $iPos) . "/");
}
$cwd=__DIR__ . '/';
and keep in mind that when it comes to the remote directory, you should be using ssh2_sftp_realpath().
dirname() has been reported to be unreliable.
I have been using this function for around 3 years and for some reason a new server that I was configuring didnĀ“t work. I was about to jump by the balcony when I found this :
ssh-keygen -m PEM -t rsa -b 4096
using the link #megar answered years ago.
Hope it helps someone else, this was hard!