Search Results

Search found 21719 results on 869 pages for 'password security'.

Page 22/869 | < Previous Page | 18 19 20 21 22 23 24 25 26 27 28 29  | Next Page >

• Security Controls on data for P6 Analytics

  - by Jeffrey McDaniel

  The Star database and P6 Analytics calculates security based on P6 security using OBS, global, project, cost, and resource security considerations. If there is some concern that users are not seeing expected data in P6 Analytics here are some areas to review: 1. Determining if a user has cost security is based on the Project level security privileges - either View Project Costs/Financials or Edit EPS Financials. If expecting to see costs make sure one of these permissions are allocated.  2. User must have OBS access on a Project. Not WBS level. WBS level security is not supported. Make sure user has OBS on project level.  3. Resource Access is determined by what is granted in P6. Verify the resource access granted to this user in P6. Resource security is hierarchical. Project access will override Resource access based on the way security policies are applied. 4. Module access must be given to a P6 user for that user to come over into Star/P6 Analytics. For earlier version of RDB there was a report_user_flag on the Users table. This flag field is no longer used after P6 Reporting Database 2.1. 5. For P6 Reporting Database versions 2.2 and higher, the Extended Schema Security service must be run to calculate all security. Any changes to privileges or security this service must be rerun before any ETL. 6. In P6 Analytics 2.0 or higher, a Weblogic user must exist that matches the P6 username. For example user Tim must exist in P6 and Weblogic users for Tim to be able to log into P6 Analytics and access data based on  P6 security.  In earlier versions the username needed to exist in RPD. 7. Cache in OBI is another area that can sometimes make it seem a user isn't seeing the data they expect. While cache can be beneficial for performance in OBI. If the data is outdated it can retrieve older, stale data. Clearing or turning off cache when rerunning a query can determine if the returned result set was from cache or from the database.

  Read the article

• Free E-Book from APress - Platform Embedded Security Technology Revealed

  - by TATWORTH

  Originally posted on: http://geekswithblogs.net/TATWORTH/archive/2014/08/23/free-e-book-from-apress---platform-embedded-security-technology-revealed.aspxAt  http://www.apress.com/9781430265719, APress are providing a free E-Book - Platform Embedded Security Technology Revealed. “Platform Embedded Security Technology Revealed is an in-depth introduction to Intel’s security and management engine, with details on the security features and the steps for configuring and invoking them. It's written for security professionals and researchers; embedded-system engineers; and software engineers and vendors.”

  Read the article

• How to get password html helper to render password on failed validation

  - by Max Schmeling

  I have a form for creating a new account and it has a password field in it. I'm using view models to pass data to the controller action and back to the form view. When the user enters their details in, and clicks submit, if validation fails and it returns them to the same view passing back in the view model, it won't default the password to what they entered. How can I get it to do this? Or should I even try?

  Read the article

• How can * be a safe hashed password?

  - by Exception e

  phpass is a widely used hashing 'framework'. While evaluating phpass' HashPassword I came across this odd method fragment. function HashPassword($password) { // <snip> trying to generate a hash… # Returning '*' on error is safe here, but would _not_ be safe # in a crypt(3)-like function used _both_ for generating new # hashes and for validating passwords against existing hashes. return '*'; } This is the complete phpsalt class: # Portable PHP password hashing framework. # # Version 0.2 / genuine. # # Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in # the public domain. # # # class PasswordHash { var $itoa64; var $iteration_count_log2; var $portable_hashes; var $random_state; function PasswordHash($iteration_count_log2, $portable_hashes) { $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31) $iteration_count_log2 = 8; $this->iteration_count_log2 = $iteration_count_log2; $this->portable_hashes = $portable_hashes; $this->random_state = microtime() . getmypid(); } function get_random_bytes($count) { $output = ''; if (is_readable('/dev/urandom') && ($fh = @fopen('/dev/urandom', 'rb'))) { $output = fread($fh, $count); fclose($fh); } if (strlen($output) < $count) { $output = ''; for ($i = 0; $i < $count; $i += 16) { $this->random_state = md5(microtime() . $this->random_state); $output .= pack('H*', md5($this->random_state)); } $output = substr($output, 0, $count); } return $output; } function encode64($input, $count) { $output = ''; $i = 0; do { $value = ord($input[$i++]); $output .= $this->itoa64[$value & 0x3f]; if ($i < $count) $value |= ord($input[$i]) << 8; $output .= $this->itoa64[($value >> 6) & 0x3f]; if ($i++ >= $count) break; if ($i < $count) $value |= ord($input[$i]) << 16; $output .= $this->itoa64[($value >> 12) & 0x3f]; if ($i++ >= $count) break; $output .= $this->itoa64[($value >> 18) & 0x3f]; } while ($i < $count); return $output; } function gensalt_private($input) { $output = '$P$'; $output .= $this->itoa64[min($this->iteration_count_log2 + ((PHP_VERSION >= '5') ? 5 : 3), 30)]; $output .= $this->encode64($input, 6); return $output; } function crypt_private($password, $setting) { $output = '*0'; if (substr($setting, 0, 2) == $output) $output = '*1'; if (substr($setting, 0, 3) != '$P$') return $output; $count_log2 = strpos($this->itoa64, $setting[3]); if ($count_log2 < 7 || $count_log2 > 30) return $output; $count = 1 << $count_log2; $salt = substr($setting, 4, 8); if (strlen($salt) != 8) return $output; # We're kind of forced to use MD5 here since it's the only # cryptographic primitive available in all versions of PHP # currently in use. To implement our own low-level crypto # in PHP would result in much worse performance and # consequently in lower iteration counts and hashes that are # quicker to crack (by non-PHP code). if (PHP_VERSION >= '5') { $hash = md5($salt . $password, TRUE); do { $hash = md5($hash . $password, TRUE); } while (--$count); } else { $hash = pack('H*', md5($salt . $password)); do { $hash = pack('H*', md5($hash . $password)); } while (--$count); } $output = substr($setting, 0, 12); $output .= $this->encode64($hash, 16); return $output; } function gensalt_extended($input) { $count_log2 = min($this->iteration_count_log2 + 8, 24); # This should be odd to not reveal weak DES keys, and the # maximum valid value is (2**24 - 1) which is odd anyway. $count = (1 << $count_log2) - 1; $output = '_'; $output .= $this->itoa64[$count & 0x3f]; $output .= $this->itoa64[($count >> 6) & 0x3f]; $output .= $this->itoa64[($count >> 12) & 0x3f]; $output .= $this->itoa64[($count >> 18) & 0x3f]; $output .= $this->encode64($input, 3); return $output; } function gensalt_blowfish($input) { # This one needs to use a different order of characters and a # different encoding scheme from the one in encode64() above. # We care because the last character in our encoded string will # only represent 2 bits. While two known implementations of # bcrypt will happily accept and correct a salt string which # has the 4 unused bits set to non-zero, we do not want to take # chances and we also do not want to waste an additional byte # of entropy. $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; $output = '$2a$'; $output .= chr(ord('0') + $this->iteration_count_log2 / 10); $output .= chr(ord('0') + $this->iteration_count_log2 % 10); $output .= '$'; $i = 0; do { $c1 = ord($input[$i++]); $output .= $itoa64[$c1 >> 2]; $c1 = ($c1 & 0x03) << 4; if ($i >= 16) { $output .= $itoa64[$c1]; break; } $c2 = ord($input[$i++]); $c1 |= $c2 >> 4; $output .= $itoa64[$c1]; $c1 = ($c2 & 0x0f) << 2; $c2 = ord($input[$i++]); $c1 |= $c2 >> 6; $output .= $itoa64[$c1]; $output .= $itoa64[$c2 & 0x3f]; } while (1); return $output; } function HashPassword($password) { $random = ''; if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) { $random = $this->get_random_bytes(16); $hash = crypt($password, $this->gensalt_blowfish($random)); if (strlen($hash) == 60) return $hash; } if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) { if (strlen($random) < 3) $random = $this->get_random_bytes(3); $hash = crypt($password, $this->gensalt_extended($random)); if (strlen($hash) == 20) return $hash; } if (strlen($random) < 6) $random = $this->get_random_bytes(6); $hash = $this->crypt_private($password, $this->gensalt_private($random)); if (strlen($hash) == 34) return $hash; # Returning '*' on error is safe here, but would _not_ be safe # in a crypt(3)-like function used _both_ for generating new # hashes and for validating passwords against existing hashes. return '*'; } function CheckPassword($password, $stored_hash) { $hash = $this->crypt_private($password, $stored_hash); if ($hash[0] == '*') $hash = crypt($password, $stored_hash); return $hash == $stored_hash; } }

  Read the article

• credit or minclass does not work well with pam_cracklib.so in common-password (opeSuSe 11.3)

  - by Mario

  I'm trying to implement password complexities on my pdc. It's a samba PDC with openLDAP backend. I tried cracklib-check but it looks like that I should have a decent and localize version of password library since the library out there usually comes in english. I also have another consideration that we will allow users to use any kind of password - even though it's dictionary based - as long as their passwords integrated with low/upper alphabet, digits, and other characters such as '$' or '_' (pam_cracklib.so calls them as classes). So here is my /etc/pam.d/common-password: #password requisite pam_pwcheck.so nullok cracklib password requisite pam_cracklib.so minclass=4 reject_username ##password requisite pam_cracklib.so \ ## dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 reject_username password optional pam_gnome_keyring.so use_autht_ok password required pam_unix2.so use_authtok nullok The first commented line (with #) was the default configuration of openSuse 11.3. The 2nd/3rd (with leading ##) is another configuration I use when minclass=4 line is commented out. By the way, I have 'check password script' = /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict and passdb backend = ldapsam:ldap://127.0.0.1 parameters in smb.conf and cracklib-check works fine too. So here is the test I conduct. I logon to windows and then change my password. Sometimes it works fine that it trows error message - which what I wanted, but simple password with only lower alphabets can pass windows change password. Maybe I should make a new library which incorporates local vocabularies, but a guy out there (raise your hand please if you read this :) ) also experienced the same trouble with english word. Besides, what we really want is to let user to choose 2 or 3 format password out of 4 classes. Is there a bug or something with pam module in openSuse 11.3? Thank you in advance. Regards, Mario

  Read the article

• Secure hash and salt for PHP passwords

  - by luiscubal

  It is currently said that MD5 is partially unsafe. Taking this into consideration, I'd like to know which mechanism to use for password protection. Is “double hashing” a password less secure than just hashing it once? Suggests that hashing multiple times may be a good idea. How to implement password protection for individual files? Suggests using salt. I'm using PHP. I want a safe and fast password encryption system. Hashing a password a million times may be safer, but also slower. How to achieve a good balance between speed and safety? Also, I'd prefer the result to have a constant number of characters. The hashing mechanism must be available in PHP It must be safe It can use salt (in this case, are all salts equally good? Is there any way to generate good salts?) Also, should I store two fields in the database(one using MD5 and another one using SHA, for example)? Would it make it safer or unsafer? In case I wasn't clear enough, I want to know which hashing function(s) to use and how to pick a good salt in order to have a safe and fast password protection mechanism. EDIT: The website shouldn't contain anything too sensitive, but still I want it to be secure. EDIT2: Thank you all for your replies, I'm using hash("sha256",$salt.":".$password.":".$id) Questions that didn't help: What's the difference between SHA and MD5 in PHP Simple Password Encryption Secure methods of storing keys, passwords for asp.net How would you implement salted passwords in Tomcat 5.5

  Read the article

• Spring Security: how to implement Brute Force Detection (BFD)?

  - by Kdeveloper

  My web applications security is handled by Spring Security 3.02 but I can't find any out of the box support for Brute Force Detection. I would like to implement some application level BFD protection. For example by storing failed login attempt per user in the database (JPA). The attacked user accounts could then get a lockout period or a forced account re-activation by e-mail. What's the best way to implement this with Spring Security? Does any body have example code or best practices on this?

  Read the article

• Reality behind wireless security - the weakness of encrypting

  - by Cawas

  I welcome better key-wording here, both on tags and title, and I'll add more links as soon as possible. For some years I'm trying to conceive a wireless environment that I'd setup anywhere and advise for everyone, including from big enterprises to small home networks of 1 machine. I've always had the feeling using any kind of the so called "wireless security" methods is actually a bad design. I'm talking mostly about encrypting and pass-phrasing (which are actually two different concepts), since I won't even considering hiding SSID and mac filtering. I understand it's a natural way of thinking. With cable networking nobody can access the network unless they have access to the physical cable, so you're "secure" in the physical way. In a way, encrypting is for wireless what walling (building walls) is for the cables. And giving pass-phrases is adding a door with a key. But the cabling without encryption is also insecure. Someone just need to plugin and get your data! And while I can see the use for encrypting data, I don't think it's a security measure in wireless networks. As I said elsewhere, I believe we should encrypt only sensitive data regardless of wires. And passwords should be added to the users, always, not to wifi. For securing files, truly, best solution is backup. Sure all that doesn't happen that often, but I won't consider the most situations where people just don't care. I think there are enough situations where people actually care on using passwords on their OS users, so let's go with that in mind. For being able to break the walls or the door someone will need proper equipment such as a hammer or a master key of some kind. Same is true for breaking the wireless walls in the analogy. But, I'd say true data security is at another place. I keep promoting the Fonera concept as an instance. It opens up a free wifi port, if you choose so, and anyone can connect to the internet through that, without having any access to your LAN. It also uses a QoS which will never let your bandwidth drop from that public usage. That's security, and it's open. And who doesn't want to be able to use internet freely anywhere you can find wifi spots? I have 3G myself, but that's beyond the point here. If I have a wifi at home I want to let people freely use it for internet as to not be an hypocrite and even guests can easily access my files, just for reading access, so I don't need to keep setting up encryption and pass-phrases that are not whole compatible. I'll probably be bashed for promoting the non-usage of WPA 2 with AES or whatever, but I wanted to know from more experienced (super) users out there: what do you think? Is there really a need for encryption to have true wireless security?

  Read the article

• Linux Debian Security Breach - what now? [closed]

  - by user897075

  Possible Duplicate: My server's been hacked EMERGENCY I installed Debian (Squeeze) a while back in my home network to host some personal sites (thank god). During the installation it prompted me to enter a user other than root - so in a rush I used my name as user and pass (alex/alex for what its worth). I know it's horrible practice but during the setup of this server I'm always logged in as root to perform configurations, etc. Few days or a week passes and I forget to change the password. Then I finally get my web site finished and I open the port forwarding on my router and DynDNS to point to my server in my home. I've done this many times in the past never had issues but I use a cryptic root password and I guess disabled regular accounts. Today I reformat my Windows 7 and after spending all day tweaking and updating SP1 I look for cloning apps and find clonezilla and see it supports SSH cloning, so I go through the process only to discover I need a user, so I log into my web-server and see I have the user 'alex' already in and realize I don't know the password. So I change the password to something cryptic and visit the directory 'home' only to realize their are contents such as passfile, bengos, etc. My heart sinks, I've been hacked!!! Sure as hell there are all sort of scripts and password files. I run a 'last' command and it seems they last logged in april 3rd. Question: What can I do to see if they did anything destructive? Should I reformat and reinstall? How restrictive is Debian/Squeeze in terms of user permissions out of the box - all my personal website stuff was created using 'root' so changing files does not seem to have occured. How did they determine there was a user 'alex' on the machine? Can you query any machine and figure this out? What the users are? Looks like they tried to run a IP scan...other nodes on the network are running Windows 7. One of which seems a little wonky as of late - is it possible they buggered up that system? What corrective action can I take to avoid this from happening again? And figure out what might have changed or been hacked? I'm hoping debian out of box is fairly secure and at best he managed to read some of my source code. :p Regards, Alex

  Read the article

• Will password protected user accounts in XP Pro provide sufficient security for Remote Desktop over

  - by Craig Johnston

  Will password protected user accounts in XP Pro provide sufficient security for Remote Desktop over internet?

  Read the article

• USB key to pass password in Centos 6

  - by Andrew

  I had a room mate that put a livecd in my desktop and looked around on my machine. I caught him in the act and threw him out. I haven't had a room mate for a while now and so as to avoid the livecd issue again I encrypted the hard drive, the machine is running centos 6.3. Is there anyway that I can avoid typing the password in each time if I have usb key in the machine to feed the password to the system? Additional question. Is there anything you can suggest to solve the problem I have ? Thanks

  Read the article

• Password Manager that allows syncing accross platforms

  - by lexu

  I use OS X, Linux, Solaris and windows for work and from home. There are good tools that allow me to manage the many logins/passwords required platform independently. But mostly they expect me to carry a thumb-drive around or require direct access to a central location (a sky drive in the cloud). The thumb-drive is too easily lost (= synchronized backup needed), the central location not always reachable/ mountable. Besides company policy rightly prevents this often. Is there a tool that allows me to add passwords locally and then syncs it's DB with the "mother-ship" later. Or is there another approach that you use, that solves my problem? EDIT My question is more about "synchronize" than cross platform. I've evaluated (=read feature list) some good cross platform tools, but need one that does the synchronizing for me. By synchronize I mean "merge two versions" not "replace (hopefully) old file with new." I'm not sure I'm always disciplined/awake enough to prevent data loss. UPDATE Lifehacker just posted that AgileSolutions now have a beta version of 1Password for Windows.

  Read the article

• How to disable Windows 8 lock screen?

  - by Filip

  So I took a plunge and installed Windows 8 Consumer Preview on my main home PC. So far so good, but there is one annoyance - the system "locks" the computer after a period of inactivity causing me to re-enter my password. I really would like to avoid this, but have no idea how. I already tried the power settings (no pass on wake up) and the screen saver settings with no luck. Is this some sort of bug, or am I missing something? P.S. In this case I favor convenience over security.

  Read the article

• Afraid computer is not secure

  - by Michael James

  I have recently implemented LastPass as a secure password manager. When I changed the password for my email address an associated account ([email protected]) that i had never seen before came up in association with my account. It asked me if i wanted to change password for my account and the "smithfaketester" account I used Google to try and find out what is going on, but came up empty. I am afraid my computer is bot net-ed. Any input is greatly appreciated. I have used google to search for reasons why this fake account was coming up but I did not find any meaningful info.

  Read the article

• How to disabled password authentication for specific users in SSHD

  - by Nick

  I have read several posts regarding restricting ALL users to Key authentication ONLY, however I want to force only a single user (svn) onto Key auth only, the rest can be key or password. I read How to disable password authentication for every users except several, however it seems the "match user" part of sshd_config is part of openssh-5.1. I am running CentOS 5.6 and only have OpenSSH 4.3. I have the following repos available at the moment. $ yum repolist Loaded plugins: fastestmirror repo id repo name status base CentOS-5 - Base enabled: 3,535 epel Extra Packages for Enterprise Linux 5 - x86_64 enabled: 6,510 extras CentOS-5 - Extras enabled: 299 ius IUS Community Packages for Enterprise Linux 5 - x86_64 enabled: 218 rpmforge RHEL 5 - RPMforge.net - dag enabled: 10,636 updates CentOS-5 - Updates enabled: 720 repolist: 21,918 I mainly use epel, rpmforge is used to the latest version (1.6) of subversion. Is there any way to achieve this with my current setup? I don't want to restrict the server to keys only because if I lose my key I lose my server ;-)

  Read the article

• What is a "good" tool to password-protect .pdf files?

  - by Marius Hofert

  What is a "good" tool to encrypt (password protect) .pdf files? (without being required to buy additional software; the protection can be created under linux but the password query should work on Windows, too) I know that zip can do it: zip zipfile_name_without_ending -e files_to_encrypt.foo What I don't like about this is that for a single file, you have to use Winzip to open the zip and then click the file again. I rather would like to be prompted for a password when opening the .pdf (single file case). I know that pdftk can do this: pdftk foo.pdf output foo_protected.pdf user_pw mypassword. The problem here is that the password is displayed in the terminal -- even if you use ... user_pw PROMPT. But in the end you get a password-protected .pdf and you are prompted for the password when opening the file.

  Read the article

• SQL SERVER – Reset SA Password – SQL in Sixty Seconds #066

  - by Pinal Dave

  It has been quite a long time since I posted SQL in Sixty Seconds Video. Here we are back with the new video. One of the most popular question, I often receive is very similar to following: “How do I reset the password for SA username?” “I have forgotten the SA password, what should I do?” “Our DBA just left the job and now noone knows how to reset the SA password. Please help.” Solution Honestly, it is pretty simple to reset the password for SA username. You just have to login to the system where your SQL Server is installed. Open SQL Server Management Studio and login with the help of Windows Authentication. As local system is the admin of the SQL Server, you will get access with administration privileges. Now, open the database, expand Security >> Login folder and right click over SA username. Now, it will bring up the screen where you can change the password for SA. SQL in Sixty Seconds Video I have attempted to explain the same subject in simple words over in following video. Action Item Here are the blog posts I have previously written on the subject of SA password. You can read it over here:  SQL SERVER – Forgot the Password of Username SA Change Password of SA Login Using Management Studio You can subscribe to my YouTube Channel for frequent updates. Reference: Pinal Dave (http://blog.sqlauthority.com)Filed under: Joes 2 Pros, PostADay, SQL, SQL Authority, SQL Query, SQL Server, SQL Tips and Tricks, SQLAuthority Book Review, SQLAuthority News, T SQL, Video

  Read the article

• Save password in WCF adapter binding file

  - by Edmund Zhao

  Binding file for WCF Adapter doesn't save the password no matter it is generated by "Add Generated Items..." wizard in Visual Studio or "Export Bindings..." in administration console. It is by design dut to the consideration of security, but it is very annoying especially when you import bindings which contain multiple WCF send ports. The way to aviod retyping password everytime after an import is to edit the binding file before import. Here is what needs to be done. 1. Find the following string:     &lt;Password vt="1" /&gt; "&lt;" means "<", "&gt;" means ">", "vt" means "Variable Type", variable type 1 is "NULL", so the above string can be translated to "<Password/>" 2. Replace it with:     &lt;Password vt="8"&gt;MyPassword&lt;/Password&gt;    variable type 8 is "string", the above string can be transalted to "<Password>MyPassword</Password>"   Binding file uses a lot of character entity references for XML character encoding purpose. For a list of the special charactor entiy references, you can check from here. ...Edmund Zhao

  Read the article

• Password correct? then redirect [migrated]

  - by RevCity

  So I have this code and I need it to only redirect when the correct password is added. Only problem is that I dont know what to add that will make it only redirect if the password is "hello" I understand that using "view-source" would reveal the password, I don't mind that, its the way I want it. I basically just need to know what to add and where to add it. Sooo: Redirects if "hello" is typed into password field. Does nothing if anything else is put into the password field. <div class="wrapper"> <form class="form1" action="http://google.com"> <div class="formtitle">Enter the password to proceed</div> <div class="input nobottomborder"> <div class="inputtext">Password: </div> <div class="inputcontent"> <input type="password" /> <br/> </div> </div> <div class="buttons"> <input class="orangebutton" type="submit" value="Login" /> </div> </div> I hope this was clear and could be understood.

  Read the article

• Is a security seal or EV SLL more important?

  - by Guy

  Does anybody know of a survey or study that compares site visitor attitudes/perceptions to security between an EV SSL cert and a security seal? The EV SSL cert will show up green in the URL (like a bank) and the security seal is usually in the footer and says something like "secured by" or "hacker proof" or "website protection" I'm looking for evidence that if you could only chose one, which would it be?

  Read the article

• PHP driven site needs password change.

  - by Drea

  I have inherited a website that needs the password changed that accesses the database. I can see that there are two tables within the database but neither of them have username or password info. The previous web guy moved out of the country and can't be reached. I am not up-to-speed enough to figure this out. I have gone through all the files to try and find the answer but can't get it. It's hosted by goDaddy.com and I have changed the passwords there but it didn't change this login info. www.executivehomerents.com/cpanel <-this brings up the prompt for the username & password which I won't give out but the page only gives you 5 choices and none of them deal with changing the password. They are simply to change the data in the tables. If you go to: http://www.websitedatabases.com/ <=this is the company that the PHPMagic program was purchased from-- They have no contact number. Here is another page that might help: http://www.executivehomerents.com/cpanel/dbinput/setup.php I don't think I'll get an answer to this but it's worth a try... thanks.

  Read the article

• Secure method of changing a user's password via Python script/non-interactively

  - by Matthew Rankin

  I've created a Python script using Fabric to configure a freshly built Slicehost Ubuntu slice. In case you're not familiar with Fabric, it uses Paramiko, a Python SSH2 client, to provide remote access "for application deployment or systems administration tasks." One of the first things I have the Fabric script do is to create a new admin user and set their password. Unlike Pexpect, Fabric cannot handle interactive commands on the remote system, so I need to set the user's password non-interactively. At present, I'm using the chpasswd command to change the password. This transmits the password as clear text over SSH to the remote system. Questions Is my current method of setting the password a security concern? Currently, the drawback I see is that Fabric shows the password as clear text on my local system as follows: [xxx.xx.xx.xxx] run: echo "johnsmith:supersecretpassw0rd" | chpasswd. Since I only run the Fabric script from my laptop, I don't think this is a security issue, but I'm interested in others' input. Is there a better method for setting the user's password non-interactively? Another option, would be to use Pexpect from within the Fabric script to set the password. Current Code # Fabric imports and host configuration excluded for brevity root_password = getpass.getpass("Root's password given by SliceManager: ") admin_username = prompt("Enter a username for the admin user to create: ") admin_password = getpass.getpass("Enter a password for the admin user: ") env.user = 'root' env.password = root_password # Create the admin group and add it to the sudoers file admin_group = 'admin' run('addgroup {group}'.format(group=admin_group)) run('echo "%{group} ALL=(ALL) ALL" >> /etc/sudoers'.format( group=admin_group) ) # Create the new admin user (default group=username); add to admin group run('adduser {username} --disabled-password --gecos ""'.format( username=admin_username) ) run('adduser {username} {group}'.format( username=admin_username, group=admin_group) ) # Set the password for the new admin user run('echo "{username}:{password}" | chpasswd'.format( username=admin_username, password=admin_password) ) Local System Terminal I/O $ fab config_rebuilt_slice Root's password given by SliceManager: Enter a username for the admin user to create: johnsmith Enter a password for the admin user: [xxx.xx.xx.xxx] run: addgroup admin [xxx.xx.xx.xxx] out: Adding group `admin' (GID 1000) ... [xxx.xx.xx.xxx] out: Done. [xxx.xx.xx.xxx] run: echo "%admin ALL=(ALL) ALL" >> /etc/sudoers [xxx.xx.xx.xxx] run: adduser johnsmith --disabled-password --gecos "" [xxx.xx.xx.xxx] out: Adding user `johnsmith' ... [xxx.xx.xx.xxx] out: Adding new group `johnsmith' (1001) ... [xxx.xx.xx.xxx] out: Adding new user `johnsmith' (1000) with group `johnsmith' ... [xxx.xx.xx.xxx] out: Creating home directory `/home/johnsmith' ... [xxx.xx.xx.xxx] out: Copying files from `/etc/skel' ... [xxx.xx.xx.xxx] run: adduser johnsmith admin [xxx.xx.xx.xxx] out: Adding user `johnsmith' to group `admin' ... [xxx.xx.xx.xxx] out: Adding user johnsmith to group admin [xxx.xx.xx.xxx] out: Done. [xxx.xx.xx.xxx] run: echo "johnsmith:supersecretpassw0rd" | chpasswd [xxx.xx.xx.xxx] run: passwd --lock root [xxx.xx.xx.xxx] out: passwd: password expiry information changed. Done. Disconnecting from [email protected]... done.

  Read the article

• GlassFish v3: Security related updates + Repository/Publisher?

  - by chris_l

  I've used GlassFish v3.0 as my main development application server for a few weeks now. Now that I want to install it on my VPS, I'd like to get the latest security updates, because Glassfish v3 Release 3.0 (Open Source Edition or not) is already a few months old, and v3.1 is only available as "early access" nightlies (see https://glassfish.dev.java.net/public/downloadsindex.html). GlassFish offers an update mechanism (via pkg or updateTool), but when I simply try to get the latest updates (pkg image-update), it finds nothing. However, when I change the preferred publisher to dev.glassfish.org, I get a list with lots of updates. The interesting thing is, that I haven't been able to find any description about the contents of the diverse publishers/repositories (release, stable, contrib and dev) anywhere on the web, most importantly answering the question: Am I supposed to use the dev repository for security updates, or does it contain unstable updates? (The name suggests unstable updates, but the version numbers, like "3.0.1,0-11:20100331T082227Z" leave me guessing. The build is more than a week old, so it's obviously not "nightly" or "weekly", but what is it?) Where do I get security updates from then? Or are there simply no security updates yet? Asking on the GlassFish forum resulted in 56 views, but 0 answers.

  Read the article

• GlassFish v3: Security related updates?

  - by chris_l

  I've used GlassFish v3.0 as my main development application server for a few weeks now. Now that I want to install it on my VPS, I'd like to get the latest security updates, because Glassfish v3 Release 3.0 (Open Source Edition or not) is already a few months old, and v3.1 is only available as "early access" nightlies (see https://glassfish.dev.java.net/public/downloadsindex.html). GlassFish offers an update mechanism (via pkg or updateTool), but when I simply try to get the latest updates (pkg image-update), it finds nothing. However, when I change the preferred publisher to dev.glassfish.org, I get a list with lots of updates. The interesting thing is, that I haven't been able to find any description about the exact meaning of the diverse publishers/repositories (release, stable, contrib and dev) anywhere on the web, most importantly answering the question: Am I supposed to use the "dev" repository for security updates, or is it (probably more likely) for unstable updates? Where do I get security updates from then? Or are there simply no security updates yet? Asking on the GlassFish forum resulted in 56 views, but 0 answers.

  Read the article

• WCF NetTcpBinding Security - how does it work?

  - by RemotecUk

  Hi, encountered the following problems trying to work through the quagmire of settings in WCF... I created a WCF client server service using a NetTcp binding. I didn't make any changes to the security settings and when running on one machine it works very nicely. However, when I ran my client from another machine it complained that the server didnt like the security credentials that were sent. I understand now that NetTCP is "secured" by default and that my client would have been passing the wrong security details - namely the windows user name and password (or some form of domain authentication) to my server which as they are not running on the same domain it would not have liked. However, what I don't understand is as follows: I haven't specified any security in my binding - does the standard settings expect a windows user name or password to be sent? I don't have any certificate installed on my server - I understand that NetTCP bindings need some form of public private key to protect the credentials - yet this seemed to work when both client and server were on the same machine - how was the data getting encrypted? Or wants it as WCF knew it was on the same machine and encryption isn't needed? I have had to set my security mode on my client and server to "none" now and they connect nicely. However is there any way to encrypt my data without a certificate? Finally... what is the difference between Transport and Message security? To check my understanding (excuse the scenario!) message security is like if I sent a letter from person A to person B and I encode my hand writing to ensure that if anyone intercepts it they cannot read it? Transport Security is if I decide to have my letter sent by armed transport so that no one can get at it along the way? Is it possible to have any form of encryption in WCF without a certificate? My project is a private project and I dont want to purchase a certificate and the data isnt that sensitive anyway so its just for my own knowledge. Thanks in advance.

  Read the article

< Previous Page | 18 19 20 21 22 23 24 25 26 27 28 29  | Next Page >