what determines the usernames for gitosis? - gitosis

When creating a USERNAME.pub file with a public key and adding USERNAME to the config file, is the USERNAME string arbitrary (I can name my gitosis users how I like), or determined by something like the SSH key?
Gitosis tutorials give examples of how to add users to a repo which are very clear (eg http://scie.nti.st/2007/11/14/hosting-git-repositories-the-easy-and-secure-way) but they don't explain this point.

Yes it should be the filename of the key minus the .pub extension. So yes you can name the users whatever you like.
I would like to point out however that gitosis appears to be unmaintained and deprecated by the git community in favor of gitolite.

Related

What shall I use as a comment while creating the SSH key and how this comment will be used?

I'm trying creating SSH key for gitlab repo following official doc.
Run ssh-keygen -t followed by the key type and an optional comment. This comment is included in the .pub file that’s created. You may want to use an email address for the comment.
It's unclear for me what shall I use as an optional comment?
So there is a suggestion to use an email as the comment. Where and how this comment will be used? What if I just skip comment since it's optional anyway?
If you have several ssh keys (for instance one for your laptop, one for your iPad, or one for different users) the comment allows you to distinguish between them. It doesn't need to be your email address, but that works well if it's a "distinguish between multiple users" problem. You can also just edit the comment - it isn't used programmatically.

How can I update the user password in Selenium-Grid-Extras?

Can anyone link me to a good Selenium-Grid-Extras guide? I have it installed, and need to customize it. Specifically, I need to update the credentials, and reboot settings. When I go to my link: http://XX.XX.XX.XX:3000/user_auto_logon, I can see the settings, but I don't know how to change them. Also, when I open my selenium_grid_extras_config.json I don't see a section that has any of this information to update. Also, even if I did find a section in the selenium_grid_extras_config.json, how would I update the password for the existing username... I'm sure it's not going to be displayed in plain text. Thanks in advance!
From Shawn McCarthy. This solved my problem:
If you want, you can just delete the selenium_grid_extras_config.json file, and rerun the jar file and it will go through the FirstTimeRunConfig again.
You should be able to pass in the username and password to the endpoint as well, http://XX.XX.XX.XX:3000/user_auto_logon?username=YOUR_USER&password=YOUR_PASSWORD
You can check out the /api endpoint to see all the possible endpoints, and the accepted parameters (and which ones are required or not). Usually with no parameters, it does a get current status/value.
Thanks Shawn!

rpcapd - what is the password when not using null authentication

I'm running rpcapd on a Raspberry which serves as a WiFi access point to trace/sniff network traffic by WiFi users.
I can run rpcapd in null authentication mode and access the interfaces from my windows machine using wireshark and it works perfect.
However, I'd like to expose these capture interfaces to multiple users and i thought it might be good to not use null authentication but have at least a little barrier for unwanted users.
If i don't use the "-n" argument, what is the user/pass? I searched Google but i can not really find a source which leads me to the answer.
I tried creating a second user which has a password and ran rpcapd from this users but still if i use these users Linux credentials, wireshark tells me it can not find any interfaces. When i re-run rpcapd with the -n argument everything works.
So... i must have overseen something!? What is the username and password for non null authentication operation or where can i specify one?
Thanks a lot!
Let me know if you need further info to help. Thanks!
When not using RPCAP_RMTAUTH_NULL authentication it will instead use the other type, RPCAP_RMTAUTH_PWD : https://www.winpcap.org/docs/docs_412/html/group__remote__auth__methods.html
And according to some old copy of the manual I found (ftp://ftp.tuwien.ac.at/.vhost/winpcap.polito.it/301a/docs/group__remote__auth__methods.html) which helpfully listed code references : "Referenced by daemon_checkauth(), and rpcap_sendauth()."
..which leads us to to the code that does the authentication : ftp://ftp.tuwien.ac.at/.vhost/winpcap.polito.it/301a/docs/daemon_8c-source.html#l00626
I downloaded the source (http://www.winpcap.org/install/bin/WpcapSrc_4_1_3.zip) to check it was still current and found in file "wpcap\libpcap\rpcapd\daemon.c" the current information for "daemon_AuthUserPwd" which shows not much has changed.
Hope this helps :-)

Using a wordlist to crack alphanumeric password

Let me first say that I'm doing nothing illegal. I'm doing this for learning purposes only. Using my own virtual network.
So I am trying to SSH into a server and say I know there is a user called urbasnlug so ssh urbanslug#ipadress but I need the root passoword.
I have a wordlist that contained only strings without alphanumeric strings. How would I use this wordlist to crack a password that has an alphanumeric password which is of mixed cases but the number in the password never goes past 100
Say the wordlist had the strings:
pass
word
How could I use these list to crack a password such as PaSSword99.
Maybe in ways other than with the use of word lists.
If you can't help me at least tell me why you can't.
I can write a C or Python module to do this but I know that there has to be something out there that already exists.
So you have two things to achieve here. The first is generating the set of passwords you wish to try. The second is throwing that list of passwords against your server.
The first problem is a classic use case of John The Ripper, you can have it read in your wordlist, apply some mangling rules (such as appending 0-99 to each word, permuting cases etc), and output a final, complete password list.
The second problem is quite easy to solve once you have the password list. You could just loop over the passwords in bash, but if you're really lazy, Metasploit has an SSH scanner that reads a password list for you.
Of course, breaking this down into two stages means you are storing the huge password list as a file. In general you would be more likely to pipe the output from John The Ripper to your SSH scanner, rather than using an intermediate file.
First off it will be difficult to get the root password if you are only logged in as a normal user. However, there are different ways of getting 'root' which I believe go beyond the scope of this forum.
Nonetheless, I don't get the correlation of where you wordlist comes to play if already know the characters present in the root password;which would mean you have the root password anyway.
Try and use Hashcat to try and retrieve password. You however need a wordlist eg rockyou.txt or any of those available in the OpenWall site (makers of John the Ripper, which is another tool which is only as good as your wordlist.
i think it will be easier (faster?) to get root via a local exploit, read /etc/shadows and crack that password

Authenticate in Lotus Notes on localhost

This might sound a little complicated, but as I'm often working on my local databases in Lotus Notes I got the problem, that I can not authenticate. So I'm always working as Anonymous on my database.
The Problem is, that I can not test all functions, because for that I would need a valid Notesname.
How can I authenticate on localhost to work with my name/account and not as Anonymous?
You can not authenticate XPages/web applicatons using the local HTTP preview. You need to install a local server to do that (which is a good thing anyway for XPages development).
Try connecting to your machine using the fully qualified domain name, e.g. ^http://mymachine.mydomain.com instead of localhost
You can add yourself to your local address-book. And have it added to Database Security as Manager or whatever you want. That will help you to login using HTTP for local database.
I am looking to also do this, and I recalled a tip from searchdomino.com, the poster is Shawn Dezego
http://searchdomino.techtarget.com/tip/Testing-Authentication-Authorization-in-a-Web-App-Locally-WIthout-Running-a-Domino-Server
Here's the gist:
Just create any groups in your local address book and add your name to
the proper groups, roles etc. Then go to your Domains public address
book (Domino Directory), copy your person doc and paste it in your
local NAB. That's it.
This is the same basic tip as offered by the adjacent commenter. However, I think this may not work for Xpages apps, so I am loading a local server anyway.
Just create a person document in local NAB (names.nsf) and add HTTPpassword field with your password (hash it using #password("mypassword") formula) as text.
Make sure the person document contains the Fullname field, where you can put as test list your aliases. But Notes will use the first field entry as your name.
And remeber to set the first entry in canonical way (cn=user/ou=organization/o=domain)
Now you are ready to use this name in ACLs and names' (nested) groups.
I suggest to use hosts file to remap localhost with your site domain.
Enjoy!
(P.S. : You need to add anonymous entry in your db's ACL, and set it to editor access level. Once opened the application with browser, use the url command "&login" to force Notes to authenticate you)