I'm using SecKeychainFindInternetPassword to retrieve the proxy username and password from the Keychain Access. The app it's an updater, it looks for a new version. If the user is using a proxy I need the username and password (if there is one). The code is working but it shows a prompt asking to allow reading the key (it's an updater I do not want a prompt). The app already has administrator permissions to run.
The question is... Is there a parameter for SecKeychainFindInternetPassword to avoid the prompt or there is another function that returns the Keychain without the prompt?
Thanks,
Fiury
This likely means that you haven't signed the app with the same key as the previous app. Generally if the app has the same signing key, it will inherit the predecessor's permissions, but will not otherwise.
Related
I am a hardware guy first and software second so GitHub is not my forte.
I had Altium Designer setup with my GitHub server for version control. When GitHub forced 2FA recently it broke the link to Altium which, unfortunately doesn't have stellar GitHub integration.
There are 6 fields I am allowed to enter in Altium to point it to my (GitHub) server:
1.) Method (HTTP, HTTPS, file, svn)
2.) Server (URL)
3.) Port
4.) Repo Subfolder
5.) username
6.) Password
Again, nothing changed except moving to 2FA. Now, when I attempt to login it obviously says it could not connect to the server because Altium has no provisions to provide a token during the login process.
I read the article at GitHub here: https://docs.github.com/en/free-pro-team#latest/github/authenticating-to-github/using-ssh-over-the-https-port
But I have no idea if that will do anything for me. Is there a way to route my Altium server connection to use my SSH key outside of the Altium environment? Or perhaps another way to "whitelist" my desktop in GitHub for SSO?
GitHub has not forced 2FA on for users. That wouldn't be useful, because people could just not set up a second factor. It's possible your organization has required this, though.
However, GitHub is deprecating the use of a plain password when using Git over HTTPS in favor of a token. Using a plain password was already forbidden for users who use 2FA, since there's no place to send a 2FA code (and for automated systems, doing that would be very inconvenient).
In this case, it's easy to keep using HTTPS: just generate a personal access token (in the developer settings) with the repo scope and paste it into the password field. Git doesn't know the difference between a password and a token; they're both the same to it. This also has a bunch of other benefits:
If you change your password, the token isn't automatically cleaned up, so you don't have to change Altium Designer.
If you decide you want to revoke that token, you can do so independently of changing your password.
If you're using SSO, you need to enable that token for SSO using the drop-down before it can be used to access protected resources.
I opened a demo xsp page and a window popped up asking me to input the name and password to login to the domino server. Then I entered my own id and password created in domino, but it didn't work. Only the Administrator name and its password worked. Anybody knows what's the problem? I already edited the corresponding ACL entries.
Thanks!
In order to use a database in a browser (no matter if classic notes web development or Xpages) one needs to meet several requirements.
First of all you need access to all NSF files that are used in the process.
As mentioned by Richard you either need to be mentioned in the ACL (namely or by group membership, or by setting -Default- and/or Anonymous to a level greater than No access).
AND the ACL has to allow Web- Access by not setting the Maximum Internet Name and Password to No Access
But this is not enough.
To be able to do authentication you do not have an ID- file in the browser.
You need a username and password. This password is NOT the password of your ID- file unless the admins choose to synchronize them using a policy.
It is the password stored in your person document in the names.nsf on the server.
But still these points are not enough yet: If you have access to the server with your username and internet password (can be tested by just trying to login to http://yourServer/names.nsf?open&login), then you might still not be able to access the application if -as umeli pointed out in the comment- the signer of the Xpage- application does not have enough rights to sign the XPages (Server document - security).
You see: There is a lot stuff to check. But if all of these points are OK, then access to the database will not be a problem anymore.
I omitted one reason for not beeing able to login because of your error description: If the Session Authentication on your server is configured for Multiple Servers (SSO) then you need to use the fully qualified internet host name of the server in the URL (or at least a hostname, that contains the SSO- domain), otherwise you will be redirected to the loginpage over and over again, even after supplying the right username / password. But as you wrote about a "Window popping up" I am quite sure, that Session authentication on that server is set to "Disabled"
You could be being rejected because of the
ACL of the NSF file not having the level of access required for operations performed in the code on the Xpage. I know you said you edited the ACL, but bear in mind that access also depends on the 'Maximum Internet Name and Password' setting for the NSF.
ACL in other NSF files that are accessed in the code of the Xpage not having the level of access required for operations performed on it by the code. This also includes the 'Maximum Internet Name and Password' setting.
I have my build with SSH-Exec Build step (or SSH deployer), which requires username and password in its configuration to connect.
The problem I faced is that username can be provided by a parameter (so I can ask user when triggering build for his username) but I cannot do the same with password (it is masked and parameters reference is not supported in this field).
How can I configure a SSH-Exec Build step so password is taken from parameter?
(I'm aware of other then password auth methods, but I like explicitly ask the one who runs it for password to confirm he is in charge to run it).
You can enter a password parameter into the password field to use a parameter. It still masks the value so it feels a little weird but it works.
I use Salesforce IDE (standalone).
I had to change my SF password, and from that moment, when I start the IDE, I get a login error, and telling me I need to call from the API: reset password.
I don't understand what needs to be done, as there is no setting in the IDE for password.
Do I need to call reset API in my apexclass? this seems weird.
Thansk
Your Force.com project has your outdated password associated to it. You can either delete the project and create a new one (which would require you to specify the new password), or change your password on the current project by right-clicking on the project in the Package Explorer and going to Properties. You should see something similar to the screenshot below, where you can enter your new password and security token, if necessary.
I would like to use an LDAP server (probably Apache directory) to manage logins and credentials for an application. From time to time the application needs to work offline (on a laptop) without a connection to the LDAP server.
What is the best way to replicate the credentials localy?
I have already thought about:
Using Mitosis to replicate the LDAP server on the laptop.
But it would be a quite "heavy" and complicated solution. Moreover Mitosis seems not be be finished yet.
Exporting the credentials as LDIF file that could be stored on the laptop.
But I would need a way to check that the LDIF file actually comes from the LDAP server (The file should include a kind of signature). Moreover I would like to reject LDIF files that haven't be updated for more than a week. It would be nice if I could avoid implementing signing and age check myself.
Any other ideas or tools that could help me?
Edited Edit: I had a look at Kerberos because the documentation of the Java-Kerberos-API seems to say that it is possible to use a cached ticket in a local cache and I thought this might be a solution for me. Moreover Kerberos can be added as plugin to Apache Directory.
But the Kerberos cache stores decrypted tickets (aiming at sharing them with other applications). I would need the crypted version of the ticket to be able to check the user password during an offline session. Conclusion: Kerberos doesn't offer a simple solution to my problem.
Knowing that it will be probably ok if the user have to log on once online before being able to log on offline, consider the following algorithm:
user provides your application with a (username + password)
application attempts to contact LDAP for authentication
working online? (e.g. connection successful)
application authenticates against LDAP using (username + password)
authentication succesful?
application stores or updates hash(password) as (cached_credentials) for (username) into local secure storage
application proceeds as authenticated [[STOP]]
authentication failed?
application proceeds as non-authenticated (incorrect credentials) [[STOP]]
working offline? (e.g. network error)
application attempts retrieve (cached_credentials) for (username) from local secure storage
(cached_credentials) exists AND more recent than (1 week)?
application compares (cached_credentials) against hash(password)
match?
application proceeds as authenticated [[STOP]]
no match?
application proceeds as non-authenticated (incorrect credentials) [[STOP]]
(cached_credentials) does not exist OR less recent than (1 week)?
application proceeds as non-authenticated (network error) [[STOP]]
This is (or was, IIRC), by the way, the same model employed by Windows NT+ for user authentication against domain controllers. Upon login an attempt is made to authenticate against the domain controller and create or update the local (cached) version of the user profile. If the domain controller is not available, the user is prompted to proceed with authentication against the credentials captured in the local (cached) profile (if one exists.)
EDIT
Yes, this is, in spirit, the same solution as copying an ldif file locally, except that you do not have to parse ldif when you're offline. :)
It is understood that you can store any additional attributes (permissions, etc.) in your cache
It is also understood that 'secure storage' is at least signed. :) You can do this easily enough with a SHA-1 hash and a secret, or you can use full-fledged cryptographic providers available on your platform (or in Java, if using Java.) You do not need to crypt it as long as no secret information is stored inside.
Here is the solution I decided to use (I have already described it in an edit to my question, but I would like to able to accept an answer to "close" the question):
As I have not found another solution, I decided to use an LDIF export, add a timestamp as comment at the beginning of the file and then sign the file. To sign the file I calculate an hash value (SHA-1) of the file + a secret key. The signature is added as comment at the beginning of the file. To check the signature I remove the first line of the signed file and recalculate the hash value.