I'm working on a project where it is necessary to check a user's password for uniqueness against historical passwords, and add old passwords to a list of historical passwords. To accomplish this I want to read and write to the opasswd file with the pam_pwhistory module. I don't want to update the user's password at all, just to check whether it is unique or not, and write their existing password to the opasswd file. The user has just been prompted for their password, and I have access to the new password, so I don't want to have to prompt the user for it again.
As far as I can tell, there are two ways to do this:
Use pam functions (pam_start, pam_chauthtok, pam_end), and interpret the prompts '(current) UNIX password: ', 'New password: ' and 'Retype new password: '. Only include pam_pwhistory.so in the PAM chain for this application. This feels very ugly as these prompts are obviously intended to be interactive, and could be renamed in future. I'd also like to avoid having to maintain an extra PAM configuration file if necessary.
Use pamc to communicate directly with the pam_pwhistory module. I have not had much luck with this approach and it doesn't seem to be well documented. Should I be using this API at all?
Is there a 3rd option? How would you approach this?
Thanks very much for any help!
Related
I have a winforms application that connects to a database with a connection string and a generic user
"Database=DBADAS;Server=TMT123\\SQLEXPRESS;User ID=user; Password=*****;
After connecting into the database with a login dialog, we check if the user and password are existent in the user table from the database.
My question is now if this is a good practice? because basically in the connection string there is every information needed to crack the server.
There are a few ways to go about this safely. Since it's a Winforms app and not a web application, most of your security risks involve someone already in your network peeking at the connection string. This adds a layer of security in and of itself.
1. Hardcoded
You can hardcode the connection string that fetches the users into a DLL and make your application depend on that DLL. I only suggest this because it sounds like the "generic user" password is permanent; otherwise, you'd have to recompile code every time you changed the password, then deploy again. This is very secure, however, as the value isn't stored in plain text.
2. App.Config
You can stick it in a configuration file. Within a secured network, this is probably the most versatile option, as you can store multiple strings and easily update them without updating the full application. This goes well alongside settings like a "DebugMode" setting, etc. Using App.Config or another XML file is ideal, but you can roll a quick and dirty .txt file, too.
3. Database
Probably the most secure way of all, as you can encrypt your database and code your programs to fetch their connection strings and login information from that database by using an unrelated login. This allows greater control over what can be reached by the application when a user has not yet logged in. It also prevents the software from operating outside of the network, which may be desirable.
4. Internal API
Having a separate application serve this data divorces user capability from your concerns, as the API and your app can exchange verification keys to see if your app even has permission to try to connect. This is my personal favorite, but obviously the most work to set up.
5. Registry Entry
Depending on how you have this installed, it may work well to embed the tokens you need in the Registry. This guarantees the app requires admin permissions to install, and allows you to use Windows security to restrict access to the hive.
Again, since it's an internal non-web app, I wouldn't worry too much about the plain text of the connectionstring; if someone has gotten this far into your network, chances are you have much bigger problems already. I wouldn't leave it floating as a plain text file in a local directory, but any degree of security above that is probably acceptable for your purposes.
Encrypting Web.Config
Open Command Prompt with Administrator privileges
At the CommandPrompt, enter:
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
In case your web Config is located in "D:\Articles\EncryptWebConfig" directory path, then enter the following to encrypt the ConnectionString:
ASPNET_REGIIS -pef "connectionStrings" "D:\Articles\EncryptWebConfig"
Use Aspnet_regiis.exe tool with the –pef option and specify the application path as shown above.
Note: The parameter "connectionStrings" is case sensitive.
For Winforms: You need to rename your app.config to web.config encrypt it by using steps 1 to 3 and again rename it to app.config.
Reference: https://www.codeproject.com/Tips/795135/Encrypt-ConnectionString-in-Web-Config
This question already has answers here:
Java Play Encrypt Database Password
(2 answers)
Closed 7 years ago.
I have an application that talks to the database for which I have to load the credentials for the database connection from my application.conf. I would like to have my credentials, at least the password encrypted in the application.conf file. I was not able to find some good documentation on how this fits together with Play.
I mean I can use any encryption library, encrypt the password, store it to the application.conf and decrypt when I connect to the database. What I want to know is some suggestions on how this fits with Play framework. Is there some built-in plugin or something that I can use for encryption?
You shouldn't need to encrypt anything inside your own system. Just make sure your server is secure.
Since you will need to let your application access the password, an attacker who has access to your system would be able to get to your password anyway.
But never ever check your passwords into git (or subversion or whatever)!
Instead what you should do is this:
Add this line to your application.conf:
include "secret.conf"
Create the secret.conf in your conf-folder and save all your credentials in this file.
Add secret.conf to your .gitignore, so it doesn't go into your Git.
Manually add and update the secret.conf-file on your server.
If you are on a Linux-system it's also smart to control read access to the secret.conf-file like #Roman said:
Make sure only the user running play has rights to read that file.
Actually it would be useless to encrypt your db credentials. That way you must store somewhere a key to decrypt the credentials, which leads to exactly the same problem.
Instead you could store an application-prod.conf on your production server where you can overwrite application.conf properties. Make sure only the user running play has rights to read that file.
include "application"
db.default.password="yoursecret"
Then run your application:
/path/to/yourapp/bin/yourapp -Dconfig.file=/path/to/application-prod.conf
The same approach is used to protect the application secret. See https://www.playframework.com/documentation/2.4.x/ApplicationSecret and https://www.playframework.com/documentation/2.1.x/Configuration.
I recently had to write my first JScript, which required some database connection.
I wrote something like
var conn = new OdbcConnection();
conn.ConnectionString = "Driver={Somedriver};"
+ "System=IPNUMBER;"
+ "Uid=SOMEUID;"
+ "Pwd=supersecret;"
And the last line made me really uncomfortable - writing the pw plaintext is far from best practice. As by education I am a mathematician and no programmer I want to know two things:
Is it possible to not write the pw in plaintext?
If yes - how?
The password has to be recoverable somehow with data available to the script at run-time. So you could certainly include some kind of obfuscation scheme that made the password less obvious in the script, but in the end it doesn't get you anything—as long as the information is readable by the script, it'll be readable to an attacker who has obtained the script.
The usual answer is to put the password outside the script, in a separate file that can be read by the script code. Indeed, it is a good idea to split all the deployment-specific details such as database connection string into a separate file (typically a config file or invocation stub), so you can manage the code logic separately from the deployment details.
In a server-app scenario you can then lock down the permissions on the config file so only admins and the service user can read it; in a client-app scenario you can require each user to get their own database credentials. Either way, since the script itself now contains only the logic it is safe to distribute it and manage it using a source code repository.
I'm new to linux but have been experimenting some and figured it would be helpful to be able to transfer work files to my fellow students when we're working on a project. I've found a command that works, however, this requires me to know the password of the user I want to send the file to.
scp path/to/sourcefile user#hostname:path/to/destfile
This is the command I used, it prompts for the password of the recipient user. I do not know the passwords of my friends user accounts, so I am stuck. It seems advisable that there's no revealing of the passwords for security reasons, so that's why I am asking whether there's a way to avoid the password requirement or to simply send the file and the recipient is prompted with a message for agreement to accepting the file?
Thanks in advance.
What PAM call do I have to make to reset a user's password? I cannot figure it out.
Background:
I'm working on an embedded linux device. Customers install this device, and create user accounts. If one of those secondary user accounts gets locked out, or if a user forgets their password, we need a way where user #1 can reset the password for user #2. Our conversion to PAM is new, I'm in the middle of switching over to it now. Here are the calls I make to authenticate users:
pam_start();
pam_authenticate();
pam_acct_mgmt();
pam_end();
I see pam_chauthtok() for changing my own password, what I don't understand is if -- or how? -- I can use it or another similar call to assign a new password to another user account.
The whole point of having separate users is that they cannot do things like change each other's password. In order to change a user's password with PAM, you need to become that user. The easiest way to do this is to have a setuid-root binary, or a daemon that runs as root, which calls setuid, etc. to become the desired user then performs the operations to change password.
Of course this exposes your entire system to a great deal of risk, especially if you're not already skilled in these matters (which is clear from your question), so I'd think twice about whether this feature is necessary, and if so, whether you should hire an expert to handle it.