Search Results

Search found 6090 results on 244 pages for 'digest authentication'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 38/244 | < Previous Page | 34 35 36 37 38 39 40 41 42 43 44 45  | Next Page >

  • Security Pattern to store SSH Keys

    - by Mehdi Sadeghi
    I am writing a simple flask application to submit scientific tasks to remote HPC resources. My application in background talks to remote machines via SSH (because it is widely available on various HPC resources). To be able to maintain this connection in background I need either to use the user's ssh keys on the running machine (when user's have passwordless ssh access to the remote machine) or I have to store user's credentials for the remote machines. I am not sure which path I have to take, should I store remote machine's username/password or should I store user's SSH key pair in database? I want to know what is the correct and safe way to connect to remote servers in background in context of a web application.

    Read the article

  • Should OpenID clients accept adding WWW to the domain?

    - by Steve Clay
    For a long time I've used OpenID delegation on my site: http://example.org/ delegated to: http://example.openid-provider.com/, so I logged into OpenID-consuming sites using the former as ID. Recently I added www. to my site's canonical domain so http://example.org/ now redirects to http://www.example.org/. Should I be able to continue logging into existing OpenID accounts using http://example.org/? StackExchange sites say "yes". I can use either URL. At least one other doesn't recognize my existing account. Who's "right" (per spec) and is there anything I can fix on my end?

    Read the article

  • 401 Using Multiple Authentication methods IE 10 only

    - by jon3laze
    I am not sure if this is more of a coding issue or server setup issue so I've posted it on stackoverflow and here... On our production site we've run into an issue that is specific to Internet Explorer 10. I am using jQuery doing an ajax POST to a web service on the same domain and in IE10 I am getting a 401 response, IE9 works perfectly fine. I should mention that we have mirrored code in another area of our site and it works perfectly fine in IE10. The only difference between the two areas is that one is under a subdomain and the other is at the root level. www.my1stdomain.com vs. portal.my2nddomain.com The directory structure on the server for these are: \my1stdomain\webservice\name\service.aspx \portal\webservice\name\service.aspx Inside of the \portal\ and \my1stdomain\ folders I have a page that does an ajax call, both pages are identical. $.ajax({ type: 'POST', url: '/webservice/name/service.aspx/function', cache: false, contentType: 'application/json; charset=utf-8', dataType: 'json', data: '{ "json": "data" }', success: function() { }, error: function() { } }); I've verified permissions are the same on both folders on the server side. I've applied a workaround fix of placing the <meta http-equiv="X-UA-Compatible" value="IE=9"> to force compatibility view (putting IE into compatibility mode fixes the issue). This seems to be working in IE10 on Windows 7, however IE 10 on Windows 8 still sees the same issue. These pages are classic asp with the headers that are being included, also there are no other meta tags being used. The doctype is being specified as <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//" "http://www.w3.org/TR/html4/loose.dtd"> on the portal page and <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> on the main domain. UPDATE1 I used Microsoft Network Monitor 3.4 on the server to capture the request. I used the following filter to capture the 401: Property.HttpStatusCode.StringToNumber == 401 This was the response - Http: Response, HTTP/1.1, Status: Unauthorized, URL: /webservice/name/service.aspx/function Using Multiple Authetication Methods, see frame details ProtocolVersion: HTTP/1.1 StatusCode: 401, Unauthorized Reason: Unauthorized - ContentType: application/json; charset=utf-8 - MediaType: application/json; charset=utf-8 MainType: application/json charset: utf-8 Server: Microsoft-IIS/7.0 jsonerror: true - WWWAuthenticate: Negotiate - Authenticate: Negotiate WhiteSpace: AuthenticateData: Negotiate - WWWAuthenticate: NTLM - Authenticate: NTLM WhiteSpace: AuthenticateData: NTLM XPoweredBy: ASP.NET Date: Mon, 04 Mar 2013 21:13:39 GMT ContentLength: 105 HeaderEnd: CRLF - payload: HttpContentType = application/json; charset=utf-8 HTTPPayloadLine: {"Message":"Authentication failed.","StackTrace":null,"ExceptionType":"System.InvalidOperationException"} The thing here that really stands out is Unauthorized, URL: /webservice/name/service.aspx/function Using Multiple Authentication Methods With this I'm still confused as to why this only happens in IE10 if it's a permission/authentication issue. What was added to 10, or where should I be looking for the root cause of this? UPDATE2 Here are the headers from the client machine from fiddler (server information removed): Main SESSION STATE: Done. Request Entity Size: 64 bytes. Response Entity Size: 9 bytes. == FLAGS ================== BitFlags: [ServerPipeReused] 0x10 X-EGRESSPORT: 44537 X-RESPONSEBODYTRANSFERLENGTH: 9 X-CLIENTPORT: 44770 UI-COLOR: Green X-CLIENTIP: 127.0.0.1 UI-OLDCOLOR: WindowText UI-BOLD: user-marked X-SERVERSOCKET: REUSE ServerPipe#46 X-HOSTIP: ***.***.***.*** X-PROCESSINFO: iexplore:2644 == TIMING INFO ============ ClientConnected: 14:43:08.488 ClientBeginRequest: 14:43:08.488 GotRequestHeaders: 14:43:08.488 ClientDoneRequest: 14:43:08.488 Determine Gateway: 0ms DNS Lookup: 0ms TCP/IP Connect: 0ms HTTPS Handshake: 0ms ServerConnected: 14:40:28.943 FiddlerBeginRequest: 14:43:08.488 ServerGotRequest: 14:43:08.488 ServerBeginResponse: 14:43:08.592 GotResponseHeaders: 14:43:08.592 ServerDoneResponse: 14:43:08.592 ClientBeginResponse: 14:43:08.592 ClientDoneResponse: 14:43:08.592 Overall Elapsed: 0:00:00.104 The response was buffered before delivery to the client. == WININET CACHE INFO ============ This URL is not present in the WinINET cache. [Code: 2] Portal SESSION STATE: Done. Request Entity Size: 64 bytes. Response Entity Size: 105 bytes. == FLAGS ================== BitFlags: [ClientPipeReused, ServerPipeReused] 0x18 X-EGRESSPORT: 44444 X-RESPONSEBODYTRANSFERLENGTH: 105 X-CLIENTPORT: 44439 X-CLIENTIP: 127.0.0.1 X-SERVERSOCKET: REUSE ServerPipe#7 X-HOSTIP: ***.***.***.*** X-PROCESSINFO: iexplore:7132 == TIMING INFO ============ ClientConnected: 14:37:59.651 ClientBeginRequest: 14:38:01.397 GotRequestHeaders: 14:38:01.397 ClientDoneRequest: 14:38:01.397 Determine Gateway: 0ms DNS Lookup: 0ms TCP/IP Connect: 0ms HTTPS Handshake: 0ms ServerConnected: 14:37:57.880 FiddlerBeginRequest: 14:38:01.397 ServerGotRequest: 14:38:01.397 ServerBeginResponse: 14:38:01.464 GotResponseHeaders: 14:38:01.464 ServerDoneResponse: 14:38:01.464 ClientBeginResponse: 14:38:01.464 ClientDoneResponse: 14:38:01.464 Overall Elapsed: 0:00:00.067 The response was buffered before delivery to the client. == WININET CACHE INFO ============ This URL is not present in the WinINET cache. [Code: 2]

    Read the article

  • FB login and privacy policy

    - by Ispuk
    I'm bulding up a site, where the ONLY ONE method for log in, is the fb login button. Now i'm wondering if i need to make users check and read the my own site's privacy and policy before and accept that is some way, is this needed? The site is for text/pourpouse sharing, and you can only interact with the site after you are logged/registered, althought you can only navigate lists of users and pourpouses. thanks

    Read the article

  • Membership in ASP.Net applications - part 4

    - by nikolaosk
    This is the fourth post in a series of posts regarding ASP.Net built in membership functionality,providers,controls. You can read the first one here . You can read the second post here . You can read the third post here . In this post I will show you how to add users programmatically to a role. In the third post we saw how to get users in a specific role.I will also show you how to delete a user and a role programmatically. 1) Launch Visual Studio 2005,2008/2010. Express editions will work fine....(read more)

    Read the article

  • I cannot enter my password when using sudo to install Sophos AV for Linux

    - by dycharlie
    I cannot type my password as shown below. After successfully unlocking root account in Ubuntu 12.04 LTS. saintmichael@ubuntu:~$ sudo usage: sudo [-D level] -h | -K | -k | -V usage: sudo -v [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-u user name|#uid] usage: sudo -l[l] [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-U user name] [-u user name|#uid] [-g groupname|#gid] [command] usage: sudo [-AbEHknPS] [-C fd] [-D level] [-g groupname|#gid] [-p prompt] [-u user name|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] [<command>] usage: sudo -e [-AknS] [-C fd] [-D level] [-g groupname|#gid] [-p prompt] [-u user name|#uid] file ... saintmichael@ubuntu:~$ sudo ./sophos-av/install.sh [sudo] password for saintmichael:

    Read the article

  • How I might think like a hacker so that I can anticipate security vulnerabilities in .NET or Java before a hacker hands me my hat [closed]

    - by Matthew Patrick Cashatt
    Premise I make a living developing web-based applications for all form-factors (mobile, tablet, laptop, etc). I make heavy use of SOA, and send and receive most data as JSON objects. Although most of my work is completed on the .NET or Java stacks, I am also recently delving into Node.js. This new stack has got me thinking that I know reasonably well how to secure applications using known facilities of .NET and Java, but I am woefully ignorant when it comes to best practices or, more importantly, the driving motivation behind the best practices. You see, as I gain more prominent clientele, I need to be able to assure them that their applications are secure and, in order to do that, I feel that I should learn to think like a malevolent hacker. What motivates a malevolent hacker: What is their prime mover? What is it that they are most after? Ultimately, the answer is money or notoriety I am sure, but I think it would be good to understand the nuanced motivators that lead to those ends: credit card numbers, damning information, corporate espionage, shutting down a highly visible site, etc. As an extension of question #1--but more specific--what are the things most likely to be seeked out by a hacker in almost any application? Passwords? Financial info? Profile data that will gain them access to other applications a user has joined? Let me be clear here. This is not judgement for or against the aforementioned motivations because that is not the goal of this post. I simply want to know what motivates a hacker regardless of our individual judgement. What are some heuristics followed to accomplish hacker goals? Ultimately specific processes would be great to know; however, in order to think like a hacker, I would really value your comments on the broader heuristics followed. For example: "A hacker always looks first for the low-hanging fruit such as http spoofing" or "In the absence of a CAPTCHA or other deterrent, a hacker will likely run a cracking script against a login prompt and then go from there." Possibly, "A hacker will try and attack a site via Foo (browser) first as it is known for Bar vulnerability. What are the most common hacks employed when following the common heuristics? Specifics here. Http spoofing, password cracking, SQL injection, etc. Disclaimer I am not a hacker, nor am I judging hackers (Heck--I even respect their ingenuity). I simply want to learn how I might think like a hacker so that I may begin to anticipate vulnerabilities before .NET or Java hands me a way to defend against them after the fact.

    Read the article

  • Password-free logins using your email address only?

    - by Mario
    The state of logins is horrendous. With each site having it's own rules for passwords, it can be very hard to remember what variation you used on any given site. Logins are pure pain. One thing I love about Craigslist is that it did away with logins altogether. I know this design may not suit every site, but there's something to their design that beckons to be repeated. OpenID is great on sites that have adopted it, but it's still not standard. Would it be feasible/wise to use an email address as a login and provide no password? The site would send a short-term key directly to your email address. You click on the link and you're in. When you're done, you "logout" and your key is terminated. I've toyed with this idea before. What concerns (i.e. spammers, bots, etc.) would make this impractical or unsafe and could they be overcome?

    Read the article

  • What is the best policy for allowing clients to change email?

    - by Steve Konves
    We are developing a web application with a fairly standard registration process which requires a client/user to verify their email address before they are allowed to use the site. The site also allows users to change their email address after verification (with a re-type email field, as well). What are the pros and cons of having the user re-verify their email. Is this even needed? EDIT: Summary of answers and comments below: "Over-verification annoys people, so don't use it unless critical Use a "re-type email" field to prevent typos Beware of overwriting known good data with potentially good data Send email to old for notification; to new for verification Don't assume that the user still has access to the old email Identify impact of incorrect email if account is compromised

    Read the article

  • Is browser fingerprinting a viable technique for identifying anonymous users?

    - by SMrF
    Is browser fingerprinting a sufficient method for uniquely identifying anonymous users? What if you incorporate biometric data like mouse gestures or typing patterns? The other day I ran into the Panopticlick experiment EFF is running on browser fingerprints. Of course I immediately thought of the privacy repercussions and how it could be used for evil. But on the other hand, this could be used for great good and, at the very least, it's a tempting problem to work on. While researching the topic I found a few companies using browser fingerprinting to attack fraud. And after sending out a few emails I can confirm at least one major dating site is using browser fingerprinting as but one mechanism to detect fake accounts. (Note: They have found it's not unique enough to act as an identity when scaling up to millions of users. But, my programmer brain doesn't want to believe them). Here is one company using browser fingerprints for fraud detection and prevention: http://www.bluecava.com/ Here is a pretty comprehensive list of stuff you can use as unique identifiers in a browser: http://browserspy.dk/

    Read the article

  • Cannot access system after deleting passwd file

    - by joao rodrigo leao
    I was trying to change my user name and also my /home/username and my system started to crash. I deleted the passwd file but I had a backup named passwd_bkp. I tried to rename this passwd_bkp as passwd and it did not work. No commands were being executed... I was in a terminal window. I re-started my system and now I cannot login. The GRub loads two options: Linux and recovery mode. I tried to open a sessions as root but it says the file system is corrupted. I cannot access my files. Did I lose all my files?

    Read the article

  • Samba issue with sharing directories on NTFS/FAT32

    - by Microkernel
    I have some strange problems with Samba server. I am using samba Version 3.5.4 on Ubuntu 10.10. I have two Windows XP machines, one on VirtualBox on Ubuntu and another office laptop. Windows machine on VirtualBox has no issues in accessing the shared folders, but the laptop is not able to access all the shared content. The issue faced on laptop is the following. Shared folders on ext3 drives have no issues in accessing, but the contents shared on NTFS and FAT32 drives (mounted ones) are not accessible. When I try to open the shared folder, it asks for user name and password, but doesn't accept when I provide it. (Even if I provide admin login details). I changed workgroup value to the domain_name in office laptop, but still the problem persists. Here is the smdb.conf I am using: [global] workgroup = XXX.XXX.ORG server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d guest ok = Yes [homes] comment = Home Directories [printers] comment = All Printers path = /var/spool/samba read only = No create mask = 0700 printable = Yes browseable = No [print$] comment = Samba server's CD-ROM path = /cdrom force user = nobody force group = nobody locking = No Workgroup was defined as "HOMENET" before, changed it to domain name on the office laptop thinking it was the problem, but for no avail.

    Read the article

  • How to make browser offer "remember password"

    - by Alois Mahdal
    What properties login form needs to have to trigger "remember password" for all (or most) browsers? Background: For years I have been using Opera, and the rule has been that almost anything that looks like login form triggers this feature. Now I'm exploring other browsers, and surprisingly find that one of login forms I visit most often, Roundcube login page, does not trigger this feature neither in Chromium nor Firefox (tried various versions and page setups of RC). Since it's on my VPS, I could patch it up and eventually even send that to RC development team, but I have the unnerving feeling that this must have been solved over and over, and it's just me being blind or something. So again: is there any consensus between browser developer as to when this featue should be triggered? Is there a best practice for webmasters to tell the browser "this is the login page"? Or are all browsers doing their own heuristics?

    Read the article

  • How to you prevent someone from getting a "new free trial period" by just creating a new login?

    - by Clay Nichols
    I am considering several options for the Trial version of our web app. The one I favor the most is the classic trial period. Of course, it's a LOT easier for someone to hack this system. They can defeat the various methods of fingerprinting the user, thusly: Browser cookie: Clear their cookies completely (or just for our site) or use a different device. Although Evercookie may help with the former. Email address: Create a new login (with a new email address) I'm going to monitor things for a while and just see how it goes. If it's a problem I'll consider requiring a credit card number matched to a name and billing zip code. Each such "ID constellation" would be considered one user. Someone could still have multiple credit card numbers but we could flag the same name+zipcode coming up again. Are there any better ways to do this?

    Read the article

  • Sign In With Facebook - Business Issues

    - by Joshiatto
    I've got an issue where this company wants to provide all sorts of whiz bang features to their users that require an insane number of facebook permissions for their FB app. Being that my name is going to be attached to this, I would rather give them a solution which allows for easy sign in and asks for the minimum permissions up front. This would give them a huge boost in registrations and activity publishing across the site with the potential to "go viral". If we ask for a ton of permissions up front I know for a fact we will not go viral and will probably incur much wrath from the blogosphere. What would you do?

    Read the article

  • Retrieve Windows 8 Product Key from mainboard

    - by Brewer Gorge
    My new laptop came preinstalled with Windows 8. Naively, as I am, I just formatted the harddrive and installed fine old Ubuntu. Now I want to install Windows 8 for dual boot again, but I have no DVD and do download the ISO one needs a product key. That key is not on the back of the laptop anymore but somewhere on the mainboard. Is there any way to recover the product key from the mainboard using Ubuntu?

    Read the article

  • Use Outlook password for website verification

    - by Jack Lockyer
    I am currently building an internal employee dashboard for our global company (it is hosted on an external website for logistical reasons) I'd like (need) to password protect the page as we will be displaying sensitive information, my question is, is it possible to integrate with Outlook passwords? We have over 350 staff all of whom use outlook on a daily basis, I'd love for the website to check whether the visitor is logged into Outlook and if they're not, prompt them to log in. Is it possible?? If it is I'll get is developed straight away.

    Read the article

  • Identity verification

    - by acjohnson55
    On a site that I'm working on, I'm trying to find ways of enforcing a one-person, one-account rule. In general, we'd like to do this by providing options to authenticate users with third-party services that provide this assurance. For example, it's possible to authenticate with Facebook and check whether the user is considered "verified" by Facebook (which means they must have provided either a phone number or credit card). This is roughly the level of identity verification we require--we're not doing banking or anything like that. But we want to give the user options. My question is, who else, besides Facebook, provides this? (uncertain of the proper SE forum, please comment if there's a better SE site to ask this)

    Read the article

  • Authorization pop-up requested by http://localhost:51675 every time I run Firefox

    - by user10711
    Using Ubuntu 10.04. Whenever I run Firefox I get a pop up requesting authorisation. It says 'a user name and password are being requested by http://localhost:51675. The site says "server" I have tried all passwords I know and nothing is accepted. If I click 'cancel' it disappears but re-appears after about 5 minutes. This whole 'experience' is accompanied by a great deal of hard disc activity. Can anyone help with this?

    Read the article

  • nginx returning authentication in IE

    - by James MacLeod
    I am having a few issues with an nginx server. I have a site setup that keeps requesting authentication when accessed from IE but in firefox and safari the site is fine no request for authentication. Reading around the web I can see that it could be the gzip that may be causing errors, but the other sites are working without issue. Here is the config: user sysadmin sysadmin; worker_processes 8; error_log logs/error.log debug; events { worker_connections 1024; } http { passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-2.2.9; passenger_ruby /usr/bin/ruby1.8; include mime.types; default_type application/octet-stream; client_header_timeout 3m; client_body_timeout 3m; client_max_body_size 5m; send_timeout 3m; client_header_buffer_size 1k; large_client_header_buffers 4 4k; gzip on; gzip_min_length 1100; gzip_buffers 4 8k; gzip_types text/plain; output_buffers 1 32k; postpone_output 1460; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 75 20; server { listen 80; server_name .reg-power.com .reg-power.co.uk .reg-power.eu .reg-power.eu.com .reg-power.net .reg-power.org .reg-power.org.uk .reg-power.uk.com .regegen.eu .regpower.co.uk .regpower.eu .regpower.eu.com .regpower.net .regpower.org .regpower.org.uk .regpower.uk.com .renegen.com .renegen.eu .renewableenergygeneration.co.uk .renewableenergygeneration.com reg.rails1.flowhost.co.uk; root /home/sysadmin/reg/current/public; passenger_enabled on; rails_env production; index index.html; } server { listen 80; server_name media.reg-power.com; root /home/sysadmin/admin/current/public; index index.html; } server { listen 80; server_name admin.reg-power.com admin.rails1.flowhost.co.uk; root /home/sysadmin/admin/current/public; passenger_enabled on; rails_env production; index index.html; } server { listen 80; server_name .livingfuels.co.uk livingfuels.rails1.flowhost.co.uk; root /home/sysadmin/livingfuels/current/public; passenger_enabled on; rails_env production; index index.html; } server { listen 80; server_name .regbiopower.com .regbiopower.co.uk regbiopower.rails1.flowhost.co.uk; root /home/sysadmin/regbiopower/current/public; passenger_enabled on; rails_env production; index index.html; } server { listen 80; server_name .clpwindprojects.co.uk clp.rails1.flowhost.co.uk; access_log /home/sysadmin/clp/logs/access.log; location / { root /home/sysadmin/clp; index index.php; if (-f $request_filename) { expires 30d; break; } if (!-e $request_filename) { rewrite ^(.+)$ /index.php?q=$1 last; } } location ~ .php$ { fastcgi_pass 127.0.0.1:49232; #this must point to the socket spawn_fcgi is running on. fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /home/sysadmin/clp$fastcgi_script_name; # same path as above fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT /home/sysadmin/clp; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; } } } As you can see there is no reference to a http authentication

    Read the article

  • What .NET objects should I use to create a cookie based session in MVC?

    - by makerofthings7
    I'm writing a custom password reset application that uses a validation technique that doesn't fit cleanly with ASP.NET Membership Provider's challenge questions. Namely I need to invoke a workflow and collect information from the end user (backup phone number, email address) after the user logs in using a custom form. The only way I know to create a cookie-based session (without too much "innovation" on my part) is to use WIF. What other standard objects can I use with ASP.NET MVC to create an authenticated session that works with non-windows user stores? Ideally I can store "role" or claim information in the session object such as "admin", "departmentXadmin", "normalUser", or "restrictedUser" The workflow would look like this: User logs in with username and password If the username and pw are correct a (stateless) cookie based session is created The user gets redirected to a HTML form that allows them to enter their backup phone number (for SMS dual factor), or validate it if already set. The user can then change their password using the form provided The "forgot password" would look like this User requests OTP code to be sent to the phone User logs in using username and OTP If the OTP is valid and not expired then create a cookie based session and redirect to a form that allows password reset Show password reset form, and process results.

    Read the article

  • Using only password to authenticate user (no "username" field)

    - by Guy
    I am creating a client access system, to allow manage invoices, make payments, access information about their products and information/functionality alike. Supposedly there are less than 1000 clients. Would there be any security threat to use only password (UUID v4 strings) to authenticate user? My thoughts: There is virtually no probability of collision or success with brute-force attack. http://en.wikipedia.org/wiki/UUID#Random%5FUUID%5Fprobability%5Fof%5Fduplicates User friendly (one click go) It is not intended to be remembered

    Read the article

  • methods DSA_do_verify and SHA1 (OpenSSL library for Windows)

    - by Rei
    i am working on a program to authenticate an ENC signature file by using OpenSSL for windows, and specifically methods DSA_do_verify(...) and SHA1(...) hash algorithm, but is having problems as the result from DSA_do_verify is always 0 (invalid). I am using the signature file of test set 4B from the IHO S-63 Data Protection Scheme, and also the SA public key (downloadable from IHO) for verification. Below is my program, can anyone help to see where i have gone wrong as i have tried many ways but failed to get the verification to be valid, thanks.. The signature file from test set 4B // Signature part R: 3F14 52CD AEC5 05B6 241A 02C7 614A D149 E7D6 C408. // Signature part S: 44BB A3DB 8C46 8D11 B6DB 23BE 1A79 55E6 B083 7429. // Signature part R: 93F5 EF86 1FF6 BA6F 1C2B B9BB 7F36 0C80 2F9B 2414. // Signature part S: 4877 8130 12B4 50D8 3688 B52C 7A84 8E26 D442 8B6E. // BIG p C16C BAD3 4D47 5EC5 3966 95D6 94BC 8BC4 7E59 8E23 B5A9 D7C5 CEC8 2D65 B682 7D44 E953 7848 4730 C0BF F1F4 CB56 F47C 6E51 054B E892 00F3 0D43 DC4F EF96 24D4 665B. // BIG q B7B8 10B5 8C09 34F6 4287 8F36 0B96 D7CC 26B5 3E4D. // BIG g 4C53 C726 BDBF BBA6 549D 7E73 1939 C6C9 3A86 9A27 C5DB 17BA 3CAC 589D 7B3E 003F A735 F290 CFD0 7A3E F10F 3515 5F1A 2EF7 0335 AF7B 6A52 11A1 1035 18FB A44E 9718. // BIG y 15F8 A502 11C2 34BB DF19 B3CD 25D1 4413 F03D CF38 6FFC 7357 BCEE 59E4 EBFD B641 6726 5E5F 0682 47D4 B50B 3B86 7A85 FB4D 6E01 8329 A993 C36C FD9A BFB6 ED6D 29E0. dataServer_pkeyfile.txt (extracted from above) // BIG p C16C BAD3 4D47 5EC5 3966 95D6 94BC 8BC4 7E59 8E23 B5A9 D7C5 CEC8 2D65 B682 7D44 E953 7848 4730 C0BF F1F4 CB56 F47C 6E51 054B E892 00F3 0D43 DC4F EF96 24D4 665B. // BIG q B7B8 10B5 8C09 34F6 4287 8F36 0B96 D7CC 26B5 3E4D. // BIG g 4C53 C726 BDBF BBA6 549D 7E73 1939 C6C9 3A86 9A27 C5DB 17BA 3CAC 589D 7B3E 003F A735 F290 CFD0 7A3E F10F 3515 5F1A 2EF7 0335 AF7B 6A52 11A1 1035 18FB A44E 9718. // BIG y 15F8 A502 11C2 34BB DF19 B3CD 25D1 4413 F03D CF38 6FFC 7357 BCEE 59E4 EBFD B641 6726 5E5F 0682 47D4 B50B 3B86 7A85 FB4D 6E01 8329 A993 C36C FD9A BFB6 ED6D 29E0. Program abstract: QbyteArray pk_data; QFile pk_file("./dataServer_pkeyfile.txt"); if (pk_file.open(QIODevice::Text | QIODevice::ReadOnly)) { pk_data.append(pk_file.readAll()); } pk_file.close(); unsigned char ptr_sha_hashed[20]; unsigned char *ptr_pk_data = (unsigned char *)pk_data.data(); // openssl SHA1 hashing algorithm SHA1(ptr_pk_data, pk_data.length(), ptr_sha_hashed); DSA_SIG *dsasig = DSA_SIG_new(); char ptr_r[] = "93F5EF861FF6BA6F1C2BB9BB7F360C802F9B2414"; //from tset 4B char ptr_s[] = "4877813012B450D83688B52C7A848E26D4428B6E"; //from tset 4B if (BN_hex2bn(&dsasig->r, ptr_r) == 0) return 0; if (BN_hex2bn(&dsasig->s, ptr_s) == 0) return 0; DSA *dsakeys = DSA_new(); //the following values are from the SA public key char ptr_p[] = "FCA682CE8E12CABA26EFCCF7110E526DB078B05EDECBCD1EB4A208F3AE1617AE01F35B91A47E6DF63413C5E12ED0899BCD132ACD50D99151BDC43EE737592E17"; char ptr_q[] = "962EDDCC369CBA8EBB260EE6B6A126D9346E38C5"; char ptr_g[] = "678471B27A9CF44EE91A49C5147DB1A9AAF244F05A434D6486931D2D14271B9E35030B71FD73DA179069B32E2935630E1C2062354D0DA20A6C416E50BE794CA4"; char ptr_y[] = "963F14E32BA5372928F24F15B0730C49D31B28E5C7641002564DB95995B15CF8800ED54E354867B82BB9597B158269E079F0C4F4926B17761CC89EB77C9B7EF8"; if (BN_hex2bn(&dsakeys->p, ptr_p) == 0) return 0; if (BN_hex2bn(&dsakeys->q, ptr_q) == 0) return 0; if (BN_hex2bn(&dsakeys->g, ptr_g) == 0) return 0; if (BN_hex2bn(&dsakeys->pub_key, ptr_y) == 0) return 0; int result; //valid = 1, invalid = 0, error = -1 result = DSA_do_verify(ptr_sha_hashed, 20, dsasig, dsakeys); //result is 0 (invalid)

    Read the article

  • Authenticating users for a website

    - by MCB
    I'm working on a website and I want to validate that an individual is an employee at one of a large number of companies (probably using their company's email address, which I don't know before hand). The idea being some users are the general public and others are from these companies. And I need some way to authenticate that the users claiming to be employees are being honest while still having a friendly enough UI. I did an informal survey of people I know and the domains and emails will match in a majority of cases but they might not always match exactly so you might have a company with a website foo.com and an email [email protected] (although foobar.com did redirect back to foo.com). And while I can easily check that I'm not sure what other variations might be out there (maybe fooLA.com and email [email protected], etc.)

    Read the article

  • How to configure ubuntu ldap client to get password policies from server?

    - by Rafaeldv
    I have a ldap server on CentOS, 389-ds. I configured the client, ubuntu 12.04, to authenticate on that base and it works very well. But it don't gets the password policies from server. For example, if i set the policy to force user to change the password on first login, ubuntu ignores it and logs him in, always. How can i setup the client to get the policies? Here are the client files: /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sudoers: ldap files common-auth auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so common-account account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so common-password password requisite pam_cracklib.so retry=3 minlen=8 difok=3 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so common-session session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session optional pam_ldap.so session optional pam_ck_connector.so nox11 session optional pam_mkhomedir.so skel=/etc/skel umask=0022 /etc/ldap.conf base dc=a,dc=b,dc=c uri ldaps://a.b.c/ ldap_version 3 rootbinddn cn=directory manager pam_password md5 sudoers_base ou=SUDOers,dc=a,dc=b,dc=c pam_lookup_policy yes pam_check_host_attr yes nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data /etc/ldap/ldap.conf BASE dc=a,dc=b,dc=c URI ldaps://a.b.c/ ssl on use_sasl no tls_checkpeer no sudoers_base ou=SUDOers,dc=a,dc=b,dc=c sudoers_debug 2 pam_lookup_policy yes pam_check_host_attr yes pam_lookup_policy yes pam_check_host_attr yes TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT never

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 34 35 36 37 38 39 40 41 42 43 44 45  | Next Page >