I have a device that allows for remote control using something like this:
https://gooduser:secretpassword#www.example.com/webcallback?foo=bar
My question is, can I some how send an encrypted user/password so that end-users can't pull the username and password and login to the device?
My issue here is that I need these to be clickable links to send remote commands.
Instead of putting your user nameand password in url, use HTML headers. Since you are calling https they will be encrypted. How you use it depends on your environment but using wget the command would be:
wget --user=gooduser --password=secretpassword https://www.example.com/webcallback?foo=bar
Related
I've checked the docs, but so far haven't found how to change the default admin password in ActiveMQ Artemis 2.27.1 created when using the artemis create command.
Here are the contents of the etc/login.config:
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
debug=false
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
};
These are the contents of artemis-users.properties:
admin = ENC(1024:EE12ADBFA02C8DB4AF73E22F44C9BD2C12861A2CD01186CA07A874FAA824A757:BA04C1C3F55B0F68EFB2804BB001EAC2C5105EC1662DCBF96E158F9DA3E0C1BB9D8ECA2FF77BBD391938BCB1E69D865322981AB134BF81B1378AFBBE9C040350)
#admin = ENC(1024:389da8e6db1d6dc50b300ec99ea5604a)
I tried masking the the password as described here, (this is the commented admin), but got invalid credentials when I tried to login after restarting the server.
I generated it like this:
./artemis mask <plaintextPassword>
By default credentials are stored in the etc/artemis-users.properties. Each line represents a user and its password in the format:
<user> = <password>
Passwords are hashed by default and stored using the ENC() syntax, but you can use plain text password if you want. Also, by default any changes to artemis-users.properties and artemis-roles.properties are reloaded automatically (since reload=true in login.config) so there's no need to restart the broker.
More details are available in the documentation for the PropertiesLoginModule.
If you want to update the file manually with a hashed password you need to use the following command in the bin directory:
$ ./artemis mask --hash <password>
This is documented in the "Masking Passwords" chapter.
Additionally, if you have at least one valid, working user account with the manage permission or if you have anonymous login enabled then you can use the user commands to list, add, remove, and reset users. As before, more details can be found in the documentation.
I have an app which allows the user to reset password. I user the django authentification system but everytime I want to send an email I get the error ' 535, b'5.7.8 Username and Password not accepted. '.
I have already generated and app password and replace the password in my "settings.py" but I still get this error.
have you
tried sending passwords with a separate python script or application like the REST Client in VSC to assure the credentials are working? At least when using gmail I know you have to adapt the security settings in the gmail account used.
checked e.g. by using print statements (ONYL in you dev environment!) that the credentials are available as expected?
I just started of in Django and want to implement this. But not sure whether my approach is correct or not. Can you validate?
Requirement : My Server will provide a service via an url endpoint. Client will authenticate (with id and password supplied to him via separate channel. So, no signup page available) with his credentials and avail the service. i will do the work asynchronously and reply with status.
My Approach.
. Client will be provided a username and password via separate channel.
. Client will do an https connection.
. Client will encrypt the password with my public Key and will call my URL endpoint with id, password, data.
. i will acknowledge the request and will ping client back when the work is done.
Things i am worried about:
. how to stop snoopers from replacing the data portion and reforwarding the request to me.
. how to stop snoopers from reusing the encrypted password from original request and sending their own request.
Are there any frameworks which will provide this support inbuilt?
OR
This will not occur at all in my current setup?
I know Django provides an authentication module. But not sure about its capabilities.
The framework will help you enable security at an application level. You can use Django to help you ensure that only users that have been properly authenticated will be granted access to restricted pages and provides a number of other security measures out of the box.
Replay attacks will typically be prevented by using sessions, which is well documented by Django.
Based on the description of your implementation, the greatest source of concern would be the statement "client will be provided a username and password via separate channel".
I have created a simple server accepting tcp and http requests and parsing them in C++. Now I want to create an openID login system which would support Google open ID. I use boost and Curl in my server. Currently I have no ssh in my server except curl can make ssh requests.
So what do I have:
html get/posts requests parsing into maps of map<string, string>
curl with ssh support
file returning server functionality (with modified response arguments)
What else shall I implement to support the possibility of google OpenID login? (I need only some basic unique identifier from user - not his\her name or any other details)
What shall be my steps in order to get unique user ID in server that recieved request with something like openIdLogin :https://www.google.com/accounts/o8/id in it?
I need some simple, readable instructions like once provided by google for reCAPTCHA Verifying the User's Answer Without Plugins - where shall user be redirected, what shall be in Request, Response etc. (not pure Specs)
From the open ID wiki
http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong
or from Google's own doc
http://code.google.com/apis/accounts/docs/OpenID.html#Interaction
What it sounds like you are looking for is Google's Federated Login. What it basically amounts to is sending some url requests to Google's servers and providing a callback url where you want the user to return to after they login on Google's servers.
Towards the bottom of the page there are some sample requests and responses that should help you get started.
What set of Windows API calls will allow downloading a web resource (specifically an XML document) when the site is protected using Digest authentication without having to enter a username and password?
I can use MSXML's “open” function on the IXMLHTTPRequest interface, but it requires a username and password to be supplied even though I'm logged on to the Windows domain server.
Internet Explorer can accomplish this task without requiring me to enter this information.
I'm not familiar with this particular API. But it looks like there is a function to set a request header called setRequestHeader so have you tried adding the following line directly to the request header?
Authorization: Basic %s\r\n
Note: %s is name:password in base64 encoding.