I am using CFLDAP in a ColdFusion application.
Currently, the SERVER, USERNAME, and PASSWORD are hard-coded in the application.cfc as application scope variables.
<cfscript>
application.ldapserver = "servername";'
application.ldapuser = "username";'
application.ldappwd = "password";'
</cfscript>
Later in my code, I am using CFLDAP:
<CFLDAP ="GetLDAPinfo" action="query"
server = "#application.ldapserver#"
username = "#application.ldapuser#"
password = "#application.password#"
....
</CFLDAP>
How can I get around using a hard-coded username and password ?
I was hoping to find something to configure in the ColdFusion Administrator similar to how e-mail is set up, but I didn't find anything.
Thanks.
Environment variables are commonly used for storing credentials on a server. Maybe this article will help: Reading Environment Variables In ColdFusion
Using the environment variables approach with plain text files is an accepted practice. You don't store that file in source control, but manage the per-environment settings in a secure location.
Local devs get local credentials (ideally unique per developer), but they don't see credentials for higher environments. Those should only be accessible by the appropriate users.
Here's an example of using .env files with NodeJS.
Alternatively, you could store the credentials in the database and retrieve them on application start. But even then, do the local developers have access to that environment's database? And you can always dump the application scope to view the values. Or you could use something like AWS Secrets Manager, but I don't know how well that works with non-AWS systems.
Since the current credentials are hardcoded, they'll always be in source control history. Make sure
you're rotating those credentials as part of this effort
creating credentials per environment
rotating them all on a regular basis
Related
I'm moving a PHP app from IIS7 to IIS8.5 on Win2012 R2. The app runs in its own application pool (MyPortal) and needs write permission on a sub-folder to create PDFs. So I assign Modify or Full Control permissions to IIS AppPool\MyPortal on the local machine, however the app is still unable to write to the folder. The only way I have found to allow it to do so is by giving Modify access to the local USERS group, which I'd rather not do (although I have no choice ATM).
The php-cgi.exe process is running under the MyPortal identity, but somehow isn't picking up the permissions I have assigned to the MyPortal user on the folder. The PHP process is doing a simple fopen command $file = fopen($tmp_filename,"w");.
I saw this similar post https://serverfault.com/questions/570033/iis-iusrs-and-defaultapppool-permissions-do-not-work which suggested it may be a permissions caching issue, solved by a reboot, but that's not worked in this instance.
Any suggestions as to what's wrong?
You've got it #Jan Reinlink. Anonymous Authentication needed setting to 'Application identity pool'. I had assumed that because the PHP process was running as MyPortal it was using the same permissions.
So I know it is really BAD PRACTICE to store a users password in cleartext (even encrypted)....But here is my problem.
I am developing an in-house automation web-app using django as my backend and users login using their LDAP credentials. My app interacts with several 3rd party applications (Jira, Jenkins, Gitlab) that also use ldap credentials for user authentication. I would also like the ability to write to the users (linux) file system from the server (saving generated scripts).
What are my options?
The only one i have though of is to encrypt the password when user logs in and store that in the django session. Encryption and decryption keys will be generated per session and saved using django's sessions. The password will be decrypted whenever a password is needed but it will never be saved as clear text
*Obviously the user will need to concent to this method
Any other ideas?
If we're saying about logging into user's account using SSH, you can use public/private keys to do that. When user logs in, use his password for connecting to his account and create here authorized_keys file (or edit existing one) inside ~/.ssh directory. That way you will have access to SSH later.
Additionally, you can create some scripts that will handle that filesystem changes on root level.
I know that Jira and Gitlab can use OAuth and I'm pretty sure Jenkins understands that also. So you might be able to generate an OAuth-Token for the user on login (when you have the password in cleartext) for those systems and then use that token without the need to store the password.
Regarding the SSH-Access #GwynBleidD already gave a good answer.
I have Admin access to a Google domain. I want to do bulk password reset of user account and also if possible make them change their password after first sign in. Currently im doing this using GAM. is there any way to do this using App script or python script?
i have generated random password and tried to reset the password but its not happening.. I dont know how to connect with Admin SDK.
This can be done with both Python (how GAM does it) or Apps Script. From my POV, unless you need to move this process into the cloud (Apps Script) you might as well use GAM to complete the task.
That being said, in both instances, you're going to want to use the Directory API (within the Admin SDK) as this has access to change passwords and set change password at next login to true. I recommend taking a look at this Apps Script page making note of the additional steps needed to use the Admin SDK within Apps Script.
I have an application that is run on multiple user systems, and using OAuth, allows the users to log in via Facebook, Twitter, etc. The entire point of the user logging in is to get settings and actions that the same user made while logged in on other computers, as identified by logging in with the same OAuth provider + provider user id. The application itself is written in C++ using Qt.
My question is this: how can I save the settings that a user made, and allow them to retrieve it in a secure way? I have a centralized server that I can store information using MySql tables, but I'm not sure the best way to have the user application prompt the server, and receive the data stored for that user.
Any ideas or places you could point me towards?
There are several ways I could think of with this, all have trade offs:
Generally I would store the data in mysql using some kind of string or object encryption/serialization method. I do not use Qt much but http://qt-project.org/wiki/Simple_encryption has some examples of very simple encryption that could be used.
Then the question becomes: What do you use as the key? I would go either with the key provided by OAuth for that user (which could be an issue if users de-authorize the app but still want access to this data) or some other user provided key (which is counter to using OAuth in the first place).
Another option is to go with Qt Users session http://qt-project.org/doc/qt-4.8/qtwebkit-guide-cache.html
This would maybe remove the need to encrypt since it should only be accessible within the users scope.
NOTE: Based on comments below it seems the issue is more about securing communication with the MySQL versus the data inside of MySQL. Waiting on user comments to revise my answer.
We are switching from exchange to google hosted mail in the next couple of weeks and I'm trying to figure out how to setup email so we can send from inside django apps
EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
EMAIL_HOST='smtp.gmail.com'
EMAIL_HOST_USER='someone#example.com'
EMAIL_HOST_PASSWORD='16characters'
EMAIL_USE_TLS=True
EMAIL_PORT=587
So these are my email settings, and the part that bothers me is that the 16 character application specific password is soon to be committed to our git repository.
If I try to use this pw on the web frontend, it tells me not to use the application specific pw, but to use my account password. This is good, at least the web interface isn't going to let them in. But what else does this allow access to/thru? There were no restrictions placed on this key when it was created (there is no way to place restrictions on it, just a way to "name" it) So it seems like someone could use this key with an android phone and have full access to my account, completely defeating the purpose of 2 factor authentication.
So, how do you manage to use google as an email provider when your apps are sending bug reports (for 500s) or alerts to other people? All the smarthost setups I've seen require the username/password too, so it keeps it out of the repository, but doesn't actually fix the problem.
Right now it looks like I have to purchase an additional "user" from google and create the ASP for that user to send the emails, if I want to keep my account secure.
PS: just borrowed a different phone and proved it will indeed give them access to my account as expected. Seems like the ASP maybe needs the ability to node lock it to a specific IP or there needs to be phantom accounts for sending or something...
If you consider your hosting environments to be secure, you could follow the approach of storing the login and pass in environment variables. This is considered by some to be a best practice: http://www.12factor.net/config (and it appears to be growing in popularity).
Then in your settings.py:
#If you want loud failures, usually the best
EMAIL_HOST_USER = os.environ['EMAIL_USERNAME']
EMAIL_HOST_PASSWORD = os.environ['EMAIL_PASSWORD']
#If you want quiet failures, usually not a good idea
EMAIL_HOST_USER = os.environ.get('EMAIL_USERNAME', None)
EMAIL_HOST_PASSWORD = os.environ.get('EMAIL_PASSWORD', None)
How you set the environment variable depends on your setup, but it is usually very straight forward.
This approach has the advantage of keeping secrets out of the git repo, so you can add new collaborators to the project without fear that they're going to take over your AWS/email/etc account
Another option would be to create a file in your filesystem, store credentials in there and set read/write permissions for users and groups. This would leverage permission tools of Unix-based systems.
Then in the settings.py file read them.
It would look something like this:
from configparser import RawConfigParser
config = RawConfigParser()
config.read('/pick/location/file.ini')
[...]
EMAIL_HOST_USER=config.get('email_service','EMAIL_USER'),
EMAIL_HOST_PASSWORD=config.get('email_service','EMAIL_PASSWORD'),
More info here
PS: Would this be more secure than storing credentials in environment variables? Hard to say, let's see what other users think
Hope this helps, ciao!