I need to automate reset password of database application role.
Password must be encrypted or hash form due to security reason.
I tried to convert password into hashbytes form and reset application role password but didn't work.
SELECT HASHBYTES('SHA2_256','PASSWORD')
GO
USE <DATABASE NAME>
GO
ALTER APPLICATION ROLE [approle_name] WITH PASSWORD= 'password hash value'
GO
Can someone kindly help how can reset the password of application role with hash value or encryption form?
Thanks in Advance
Related
I am integrating Keycloak with Djnago
https://github.com/Peter-Slump/django-keycloak/issues
Keycloak Server
This is what my keycloak User Screen looks like
BUT when I log within django,
user.email is proper (whats present in keycloak)
user.username is getting set as ID from keycloak.
Is there a way to retain djnago username as keycloak username?
https://github.com/Peter-Slump/django-keycloak/issues/39
In general user.username is actually the username in keycloak, unless the framework you use has a custom mapping to change the values (most probably with sub value from token in your case). If it is the case, you can add a duplicate property in token to get username as follows:
Login to Keycloak Server with admin credentials
Go to Clients section and click on the application client you are working on
Select Mappers subsection in your client page
Click on Add Bultin, select username checkbox and Save the settings
After you have added the token, you use it to get the username. In case the name conflicts(when mapping of username shares same syntax as to get property username from token), add a custom mapper where you can rename the property name for same username value. Custom mapper should look something like:
I am auditing user passwords in AWS using boto3 and I'm not finding a way to accomplish the following CIS Benchmark: "Ensure credentials (with password enabled) unused for 90 days or greater are disabled."
I have the code to pull the password age and to pull the last time the password was used, but I do not find anything to make inactive a password.
For access keys (but not passwords), we have the following:
client = session.client('iam')
... (get user and keyid) ...
last_used = client.get_access_key_last_used(AccessKeyId=keyid)
... (determine the age of the key) ...
if age >= 90:
client.update_access_key(AccessKeyId=keyid, Status='Inactive', UserName=user)
Does anyone have any pointers?
delete_login_profile is the one you should use if you want to delete the password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console.
However to prevent all user access (including CLI and API access) you must also either make any access keys inactive or delete them.
From Boto3 Documentation:
Warning
Deleting a user's password does not prevent a user from accessing AWS
through the command line interface or the API. To prevent all user
access you must also either make any access keys inactive or delete
them. For more information about making keys inactive or deleting
them, see UpdateAccessKey and DeleteAccessKey.
If you want to change the password, you should use update_login_profile boto3 API. If you want to disable the password, you need to use delete_login_profile.
boto3 documentation for update_login_profile can be found here.
boto3 documentation for delete_login_profile can be found here.
Thanks to the responders, delete_login_profile followed by a password reset using create_login_profile is exactly what I needed. I saw it in the docs, but "delete" just sounded too scary.
def getPassword(client, user):
''' get the password data from aws '''
try:
response = client.get_login_profile(UserName=user)
return response
except client.exceptions.NoSuchEntityException as e:
print(e)
return ''
# setup the client handler
client = session.client('iam')
# set the user
user = 'some.user'
# if the user has a password, execute this code block
if getPassword(client=client, user=user):
... code to test the password age here ...
... if it's too old, then ...
# remove the login_profile/password/ability to use the Console
client.delete_login_profile(UserName=user)
# set the new password
passwd = raw_input('Enter New Password: ')
# create the new login_profile with the new password and force the user to change the password on the next login
client.create_login_profile(UserName=user, Password=passwd, PasswordResetRequired=True)
I need to restore or reset user password when his status is FORCE_CHANGE_PASSWORD. This situation happened when user try to restore password using "forgot password" feature and he lost email with temporary password. Now he can't do anything because he don't remember password and he can't reset password again
This code handle forgot password
return CognitoIdentitySP.forgotPassword(params, (err, resp) => {
if (err) { ... }
...
})
And I receive error (in case of FORCE_CHANGE_PASSWORD status)
NotAuthorizedException: User password cannot be reset in the current state.
Is there any way to reset password in such state?
You can use aws-cli to do it. Here is a sample command, replace POOL_ID and EMAIL_ADDRESS accordingly:
aws cognito-idp admin-create-user --user-pool-id <POOL_ID> --username <EMAIL_ADDRESS> --message-action RESEND --profile <AWS_PROFILE>
You can also use the admin-set-user-password command in this situation of the temporary password being lost or expired:
aws cognito-idp admin-set-user-password --user-pool-id <POOL_ID> --username <USERNAME> --password <PASSWORD> --no-permanent
This will set a new temporary password of whatever you set the password to be but importantly will force the user to set a new password as soon as they log in, so security is maintained.
You will need to communicate this to the user but we found this extremely useful when your company's security policies prevent you from being able to run the create user command.
You can call admin create user again with the MessageAction set to RESEND in which case Cognito will resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to "SUPPRESS" to suppress sending the message. Only one value can be specified.
When you create a user from the admin or with the admin sdk from the frontend you have to use the authentication flow "USER_PASSWORD_AUTH" previously you should have configured it in the app client:
https://docs.amplify.aws/lib/auth/switch-auth/q/platform/js/
Aws Cognito- User pools, how to recover / set password for a user when it has no email or phone.
I am using this on the web for a small business locally.
and want user to use only username.
not use email and phone.
On the verification tab, I leave both checkboxes: phone and email blank.
Then it displays the following red warning.
You have not selected either email or phone number verification,
so your users will not be able to
recover their passwords without contacting you for support.
So it is okay that I want them to contact support.
But I cannot find and API to set their password or recovery by admin.
If users contact me, how can I do it?
At the moment, there is a workaround through the API. Just set an email/phone where you/the admin can receive the one-off confirmation code (eg: support#test.com)
Just tested on an old cognito user pool that for some unknown reason, gets the emailed_verified attribute set to false every now and then (ref).
The User pool has the same configuration: No verification options are enabled.
However, you can ensure the email_verified attribute is ok, through an AWS user with dev credentials.
Example using CLI (tested on aws-cli/1.16.3 Python/2.7.10 Darwin/18.2.0 botocore/1.11.3):
USER=test#test.com
POOL_ID=us_east_1-123
POOL_APP_CLIENT_ID=fake123
# Ensure the email_verified attribute is set to true
# https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-update-user-attributes.html
aws cognito-idp admin-update-user-attributes --user-pool-id $POOL_ID --username $USER --user-attributes Name=email_verified,Value=true
# Check the attribute is set/added if missing
# https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/list-users.html
aws cognito-idp list-users --user-pool-id $POOL_ID --query 'Users[?Username==`$USER`].[*]'
# Run Admin Reset PWD
# https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-reset-user-password.html
aws cognito-idp admin-reset-user-password --user-pool-id <Pool ID> --username <USER>
# The email/phone for the user should get a confirmation code
# Set the new pwd
# https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/confirm-forgot-password.html
aws cognito-idp confirm-forgot-password --confirmation-code <Code> --password <New PWD> --username $USER --client-id $POOL_APP_CLIENT_ID
Basically that means that your users will not have to verify the email or phone number. Those can be auto verified either by writing a lambda function that verifies them or you could verify them on their behalf from the console.
Once the phone number or email are marked as verified, they can be used by users in a forgotPassword flow, they will basically get a code that they can use to reset the password.
You can also reset the user password on their behalf (from the console) which means that users will not be able to login and will have to complete a forgotPassword flow before logging in. Again, phone number and email can be marked as verified from the console.
We have a website integrated with ADFS 3 for authentication. Website allows users to change their usernames, which in turn changes their usernames in AD. If users changes their usernames we log them out using WSFederationAuthenticationModule.FederatedSignOut. However the page redirects to adfs url and throws an error. The event log shows that "either username or password is wrong".
MSIS7066: Authentication failed for the request. ---> System.Security.SecurityException: The user name or password is incorrect.
I wonder it is because of user name change. I tried with both lsalookupcachemaxsize set to 0 in registry and without the key. By the way does ADFS 3 even consider this registry key?
The code used is below -
FormsAuthentication.SignOut();
FederatedAuthentication.SessionAuthenticationModule.SignOut();
FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();
FederatedAuthentication.WSFederationAuthenticationModule.SignOut(false);
Response.Expires = 0;
Session.Abandon();
var authenticationModule = FederatedAuthentication.WSFederationAuthenticationModule;
WSFederationAuthenticationModule.FederatedSignOut(new Uri(authenticationModule.Issuer), new Uri(authenticationModule.Realm));