I am using node v0.18.4 on a raspberry pi 3 Jessie. I want to secure the node-red editor, for which i followed the security.html page provided by node red and also I watched a video on youtube. I did the exact same steps, which are:-
1) Go to ~/.node-red/settings.js
2) Uncomment adminAuth
3) Install node-red-admin - sudo npm install -g node-red-admin
4) Generate hash password using, node-red-admin hash-pw
5) Paste the hashed password to adminAuth password field.
6) Save and restart node red
However I do not get the login prompt. The editor just loads without asking me for the username and the password.
I looked it up online, and all I found were httpNodeAuth. I am not trying to secure the UI, I am trying to secure the editor. Also I found a post that said sessions.json file would be written by node-red which was empty when I checked. It said that, it was because on when running node red on images, this file is not writable.
So I even followed the steps to placing the settings.json file to a writable location, and then created a shortcut for it in the node-red folder. This also didn't work out for me.
I also found a post where it said that the hashed password must have a correct format. I got a link to a hash password generator site. I copied the hash password from there but even that didn't result in the login prompt.
Please suggest why I might be getting this problem.
Thanks in advance.
I had somewhat similar problem on PC - asked for login at first, then didn't ask again. Shift with reload didn't change it either.
I did log out, then it asked for password, so you might try that. Also switching from Chrome to IE, I got a login as well.
Related
I have Tortoisehg set up with a clone of a remote repository on Bitbucket, using https protocol. I turned on the mercurial_keyring extension, and it took care of password handling just fine. Until one day it didn't. Every time I commit now, on push-after-commit it pops up and asks me for a password.
I carefully changed the password on the server, and started typing in that password when asked. IT DOESN'T HELP! It doesn't accept that password.
I hit cancel when asked for the password. Then I go and press the Push green arrow button at the top right of the screen. After asking for confirmation – IT GOES! No password required!
There are three computers that connect to this particular Bitbucket repository. For a while two of the three were working fine without asking a password. Then another one started asking! And then a third popped up asking for something different: "You need to identify yourself to the server." Once again, cancel, use the Push button, works fine!
I am so confused. Has anyone seen this, has anyone fixed it?
BTW, the remote repository is nowhere mentioned in my tortoisehg settings, but it is in my hgrc file:
[paths]
default = https://joymaker3#bitbucket.org/joymaker3/my-repo-name
I yjink, you have to re-read at least section 3.2. "Repository configuration (HTTP)" of extension wiki and check related settings of all repos:
good (full) URL in [paths]
only needed data (if needed) in [auth] (no password for configured remote repository)
you can also enable debug in TortoiseHG and inspect output on failed push
Okay, I know it may sound stupid but I really need your opinions or suggestions about something. A computer has an older WAMP version (5 1.7.0) installed in it (I'm not the one who installed it) and running on Windows XP. Whenever I go to its Phpmyadmin page, it automatically gives me access to anything what are in it. That's a security hole that must be solved. I want it to ask me or prompt a login page first. I still have no success from the following steps that I've tried:
I have set the username as root and the password as
samplepass from the Priveleges section in the Phpmyadmin page - Still no success!
I also modified the config.inc.php file. I put the said password in $cfg['Servers'][$i]['password'] and changed the "cookie" as "config" in $cfg['Servers'][$i]['auth_type'] - Still no success!
Already restarted the connection of all WAMP services after the changes made - Still no success!
I also cleared the histories, caches, cookies, etc. in the browsers just incase - Still no success!
One thing I've noticed is that the file has no $cfg['Servers'][$i]['AllowNoPassword'] nor $cfg['Servers'][$i]['AllowNoPasswordRoot'] in it. I tried including that into the file and providing it the value as "YES" but still, no login page is displaying.
I don't want to reinstall the WAMP or install new one. I'm afraid to destroy what was already there. So what do you think why the login page is still not displaying? Am I forgetting something or missed to do? (Sorry for sometimes I'm forgetful).
Alright, just after trying the things out again with still no success, I came up with this:
I changed back the value of $cfg['Servers'][$i]['auth_type'] from "config" to "cookie"
Then I added a random text value for $cfg['blowfish_secret']
After the (2) changes I made, I restarted the all the services again and poof! Login page is now displaying! But I'm still confused why my first tries didn't work. I'm not a know-it-all person about this particular area and sure there's more things to know about database thing. That's all.
I have added a key also.
I tried adding username and password in url as: root:password#ssh://10.10.14.119//home/pk/user_app.git.
I tried making file containing login and password and added that from windows 10 cmd prompt.
Nothing is working. Its asking password for every push and pull
Thanks all for your responses.
Finally I got the answer.
I used the global key (id_rsa.ppk) of my git server and its working very well now.
I have Webmin installed on 5 or 6 servers but a few months back decided to install two-factor authentication for logging into Webmin using Google Authenticator app on my phone.
To my surprise, I lost all my tokens in the Google Authenticator app when I changed phones. This actually happen to me twice. I have rebuilt everything everywhere else but can no longer log into Webmin on this one server.
I tried searching Google to death but no answers. I tried uninstalling Webmin and re-installing using RPM.
After re-installing Webmin it just keeps the same settings which means I still need the Google Auth token which is no longer on my phone.
Any ideas?
Should I try to break the Oauth module I think it needs to work or will this cause me more problems?
Fond this here:
http://sourceforge.net/p/webadmin/discussion/600155/thread/512d81e9/
Go into this file /etc/webmin/miniserv.conf, delete this line:
twofactor_provider=totp
And, in /etc/webmin/miniserv.users, there is this line.
root:x:0:::::::0:0:totp:HBL7W4RTG8T6FG8W:
I just deleted the totp so the line read:
root:x:0:::::::0:0::HBL7W4RTG8T6FG8W:
Saved the file and restarted webmin: service webmin restart.
I could then log back in with un/pw and generated my QR code.
Even Simpler Fix:
0:0:totp:HBL7W4RTG8T6FG8W:
The "HBL7W4RTG8T6FG8W" between the colons is your KEY for Google Auth!
When using Google authenticator you can enter a KEY or use QR Code. Just create a new Google auth account and use THAT KEY.
DONE! No need to restart anything.
Enjoy!
C0l. P.
Run the following to remove two factor authentication:
sed -i 's/totp//g' /etc/webmin/miniserv.users
sed -i '/twofactor_provider=totp/d' /etc/webmin/miniserv.conf
/etc/init.d/webmin restart
I realise this is a little late but I thought I'd post it nonetheless for anyone who is interested.
The entry in /etc/webmin/miniserv.users should be a TOTP secret in Base32 format.
So to log in simply run :
oathtool --totp -b 'SECRET' -v
Where SECRET is the code between the quotes and it will spit out your Two-factor token enabling you to log in.
The -b says your giving it the SECRET in Base32 (Hex is the default).
Then goto "Webmin->webmin Users" to disable TFA and re-enable it in the normal way.
Or if you want, you can use "qrencode" to re-create your google-authenticator setup without having to change the secret (handy if a group are sharing the same SECRET ...bad idea!! but this will save your bacon if one of you gets locked out).
$ qrencode -o ~/.totp-key.png "otpauth://totp/?secret=BASE 32 SECRET&issuer=Your name, etc."
NB. "oathtool" using the -v option allows you to see the SECRET in both Base32 and HEX so you can use either as necessary to setup any TFA app.
Also ensure that the machine you use has it's time sync'd correctly!
QED.
I disabled 2FA, then I was unable to login, not only from webmin from ssh with password as well.
I applied #Todd 's advice, after restarting webmin I was totally unable to see the main login page.
Luckily I had some other session already open. I used the command below to change the password for root user, restarted webmin, all was ok.
/usr/share/webmin/changepass.pl /etc/webmin root myNewPassword
Note: Apply at your own risk. I had backups, so I did not need to worry. My server OS is Ubuntu 14.04
I am trying to set up the access control for my personal website on synology NAS. Right now I am using DS212J. I found the following article teaching how to use "htaccess" on apache to achieve that.
http://www.synology.com/support/faq_show.php?lang=enu&q_id=347
But I encountered 2 problem:
1) I don't have the command "htpasswd" after ssh to my DS212J.
2) After I manually create those files, I got the username and password prompting up on the website. However, the password in "admin.pw" and "normal.pw" doesn't work when I type in. I am not sure whether it is because I didn't use command "htpasswd".
What am I missing here?
Thanks.
The htpasswd executable is at /usr/syno/apache/bin/htpasswd. As that directory is not on the PATH, you have to explicitly use the whole path to use it:
Apache doesn't keep passwords in plain text, it uses a hash of them so that even if someone gets access to the password file they won't be able to log in. That's why you must use htpasswd to create the file.
For anyone who comes across this, I couldn't get that synology support tutorial to work either. I am running DSM 5.1-5022 Update 4 on my own domain with ssl. Here's how it got it working:
Follow the steps in the following wiki: Synology Wiki
In the control panel, go to "Web Services" and disable SPDY for secure connections. (Gleaned from this article.)
Good luck.