So I know it is really BAD PRACTICE to store a users password in cleartext (even encrypted)....But here is my problem.
I am developing an in-house automation web-app using django as my backend and users login using their LDAP credentials. My app interacts with several 3rd party applications (Jira, Jenkins, Gitlab) that also use ldap credentials for user authentication. I would also like the ability to write to the users (linux) file system from the server (saving generated scripts).
What are my options?
The only one i have though of is to encrypt the password when user logs in and store that in the django session. Encryption and decryption keys will be generated per session and saved using django's sessions. The password will be decrypted whenever a password is needed but it will never be saved as clear text
*Obviously the user will need to concent to this method
Any other ideas?
If we're saying about logging into user's account using SSH, you can use public/private keys to do that. When user logs in, use his password for connecting to his account and create here authorized_keys file (or edit existing one) inside ~/.ssh directory. That way you will have access to SSH later.
Additionally, you can create some scripts that will handle that filesystem changes on root level.
I know that Jira and Gitlab can use OAuth and I'm pretty sure Jenkins understands that also. So you might be able to generate an OAuth-Token for the user on login (when you have the password in cleartext) for those systems and then use that token without the need to store the password.
Regarding the SSH-Access #GwynBleidD already gave a good answer.
Related
I have Admin access to a Google domain. I want to do bulk password reset of user account and also if possible make them change their password after first sign in. Currently im doing this using GAM. is there any way to do this using App script or python script?
i have generated random password and tried to reset the password but its not happening.. I dont know how to connect with Admin SDK.
This can be done with both Python (how GAM does it) or Apps Script. From my POV, unless you need to move this process into the cloud (Apps Script) you might as well use GAM to complete the task.
That being said, in both instances, you're going to want to use the Directory API (within the Admin SDK) as this has access to change passwords and set change password at next login to true. I recommend taking a look at this Apps Script page making note of the additional steps needed to use the Admin SDK within Apps Script.
I'm thinking about migrating one of my django application to meteor. But there is one question I'm trying to answer before doing this: How does Meteor encrypt a password? (with the account-password package?)
In my case, I used the default django password encryption:
Django provides a flexible password storage system and uses PBKDF2 by default.
The password attribute of a User object is a string in this format:
<algorithm>$<iterations>$<salt>$<hash>
So my passwords are stored like this:
pbkdf2_sha256$12000$Z0rof3EQy1p2$wezcf334ytyBm12CPcdlNZLrkWYkaQklk4wHt5jxgWE=
Is it impossible to make Meteor adopt the same scheme so as my current users can continue to use my application without resetting their password?
accounts-password uses SRP to authenticate users. This was mentioned in the blog post for meteor 0.5:
Support for the Secure Remote Password protocol. Developed at Stanford, SRP lets a user securely log in to a server without ever sending that server their unencrypted password. The kind of high-profile security breaches at LinkedIn and Pandora earlier this year are impossible with SRP. Instead of asking every application developer to safely store passwords, we've baked the very best technology right into Meteor Accounts.
It's also discussed a little bit in this recent video. Side note - it's interesting that they are considering adding bcrypt in the future.
So for now, the good news is that meteor does not store password-equivalent information in the database. The bad news is that your users will need to reset their passwords if you choose to migrate your framework.
I have an application that is run on multiple user systems, and using OAuth, allows the users to log in via Facebook, Twitter, etc. The entire point of the user logging in is to get settings and actions that the same user made while logged in on other computers, as identified by logging in with the same OAuth provider + provider user id. The application itself is written in C++ using Qt.
My question is this: how can I save the settings that a user made, and allow them to retrieve it in a secure way? I have a centralized server that I can store information using MySql tables, but I'm not sure the best way to have the user application prompt the server, and receive the data stored for that user.
Any ideas or places you could point me towards?
There are several ways I could think of with this, all have trade offs:
Generally I would store the data in mysql using some kind of string or object encryption/serialization method. I do not use Qt much but http://qt-project.org/wiki/Simple_encryption has some examples of very simple encryption that could be used.
Then the question becomes: What do you use as the key? I would go either with the key provided by OAuth for that user (which could be an issue if users de-authorize the app but still want access to this data) or some other user provided key (which is counter to using OAuth in the first place).
Another option is to go with Qt Users session http://qt-project.org/doc/qt-4.8/qtwebkit-guide-cache.html
This would maybe remove the need to encrypt since it should only be accessible within the users scope.
NOTE: Based on comments below it seems the issue is more about securing communication with the MySQL versus the data inside of MySQL. Waiting on user comments to revise my answer.
I'm writing a Facebook canvas webapp that performs a login (using urllib) to a third party website and performs actions on behalf of the user. This means I have 2 accounts; the account the user has with my webapp (via facebook) and the account the app uses to perform a login on their behalf (with user/password details provided by the user).
I obviously don't want plaintext passwords in the DB. But I also don't want the user to have to enter their password every time they perform an action. I want them to enter the password once when they sign up, and I want to encrypt the passwords, but what do I encrypt against?
Any key on the server would be available to anyone who had gained access (i.e. useless), so I was thinking of encrypting it against a value available via the Facebook API.
When the user logs in (and gives the app their access token), the app can request the value via the API and encrypt/decrypt their 3rd party password with this. Anyone with access to the server wouldn't be able to make this request without the user being logged in to the app. (This still means someone snooping on the server could get logged-in users 3rd party password, but anyone who got one-off access to the DB couldn't see passwords.) Is this wishful thinking?
You might as well encrypt it using a key on the server. If anyone gains access to your server they will have everything they need to retrieve the key even if you're getting it from Facebook.
I think the best you can do is to store the key in a location that isn't available to your webserver, but that is available to your script. At least make sure you don't store the key in the database.
Whatever you do beyond that would just be security through obscurity. The key here is to keep your server secure so that no one gains access to it.
I guess you could store the logins ONLY on the client, in some sort of local storage and do all the actions related to the third party, from the client in JS.
This of course would need some change in the architecture of your app if you tought to do all this from your server, but that would possible for sure, you can event make client JS send data to your server after it worked so you can log data from the interactions with the 3rd party.
Furthermore it has the advantage of distributing the load on the clients
I know you didn't tag the question with javascript and you seem to want a server pure solution, but It seems the best solution to me. the user keeps its data ..
Security through obscurity might be your best bet. Perhaps implement an algorithm to generate the key using something standard (like the current datetime). You can store the date in your db, and use that to generate the key using your own algorithm.
I am making an web application that have to be integrated with other system using SOAP for communication between them. The problem is that I need to have users and store application specific information for them, but store the password on other system. So when the user enter his password username/password I have to make check on the other system and if this user exists and this is his password to log him in on my application.
So my question is how can this be done.
You have to write your own authentication backend!