Is it possible to store the SHA value of ansible_become_pass in the vault, instead of the plain text version?
My main use-case is that I already have the SHA value needed to setup the sudo user, I want to use the same SHA value to set the ansible_become_pass. So far ansible_become_pass seems to only accept plain text passwords.
This would avoid the slight kludge of specifying the same password in two different ways in the vault.
Is it possible to store the SHA value of ansible_become_pass in the vault, instead of the plain text version?
No! Of course you cannot.
ansible_become_pass is a password which Ansible provides to the target operation system to authenticate for actions to be performed with sudo on behalf of another user.
You cannot login to any system by providing a password hash instead of using the password.
The whole point of using a hash (one way function) is that it cannot be used for authentication (password retrieval) even if it was compromised.
[ ] avoid the slight kludge of specifying the same password in two different ways in the vault.
You can use the password_hash filter to get a hash of a password, you don't need to store the hashed value alongside a plain-text password.
---
- hosts: localhost
gather_facts: no
connection: local
vars:
plain_text_password: secret
tasks:
- debug:
msg: "{{ plain_text_password | password_hash }}"
- debug:
msg: "{{ plain_text_password | password_hash('sha256') }}"
Related
I have a Docker container which used for a Flask application and I have defined the password in the environment variable like the following
ENV DATABASE_PASSWORD=mypassword
Now in this scenario, I need to put the password in the file and this file is part of the version control. I need to hide the password in such a way that the other people including the DevOps will not be able to get the password. I can do encryption and decryption, but then also, the code is visible and other developers can print the password. I am using psycopg2 to connect to the database and has the following code:
conn = psycopg2.connect(
host=os.environ['DATABASE_HOST'],
database=os.environ['DATABASE_NAME'],
user=os.environ['DATABASE_USER'],
password=os.environ['DATABASE_PASSWORD']
)
I am looking for a way that I can hide the password from the outside. I am not sure this is even possible. Or is there any other way that I can store the passwords and use them in the code? Any service I can use for this purpose? Please suggest.
I freshly installed Grafana and I cannot login at http://localhost:3000/login
All documentation shows that the default user/password should be admin/admin but I'm locked out.
If I go to check into the file C:\Program Files\GrafanaLabs\grafana\defaults.ini the values are set to:
[security]
# disable creation of admin user on first start of grafana
disable_initial_admin_creation = false
# default admin user, created on startup
admin_user = admin
# default admin password, can be changed before first start of grafana, or in profile settings
admin_password = admin
# used for signing
secret_key = SW2YcwTIb9zpOOhoPsMm
# current key provider used for envelope encryption, default to static value specified by secret_key
encryption_provider = secretKey
If I try to retrieve the password through the e-mail I receive no e-mail.
What am I doing wrong?
The problem come from the grafana.db file. This is where your password is stored.
In your local machine, install the sqlite3 package
sudo apt-get install sqlite3
Login into your sql database
sudo sqlite3 /var/lib/grafana/grafana.db
Reset the admin password using SQL update (the new password will be admin)
sqlite> update user set password = '59acf18b94d7eb0694c61e60ce44c110c7a683ac6a8f09580d626f90f4a242000746579358d77dd9e570e83fa24faa88a8a6', salt = 'F3FAxVm33R' where login = 'admin';
sqlite> .exit
Now, you could log in your Grafana web interface using username: admin and password: admin
Why is the login with admin:admin despite the configuration not working?
One possibility here is that you had Grafana installed previously (and when using it with the admin account already had to change the default password set in the config). In that case, you did not freshly install Grafana but instead upgraded it. That preserves the database including users and passwords, therefore you will have to use the password you set for that account.
Why are you not getting a reset password email?
I can think of two possibilities here: One is that Email is not configured in the Grafana config file and therefore no emails can be sent. The second one is that you did not set the email address for the account in question (afaik defaults to "admin#localhost") and therefore you don't get any emails. Of course it is possible that both is the case.
How can you solve this?
By either resetting the admin password (that will allow you to keep your existing data) or by removing Grafana and all files completely and making a fresh install.
I am trying to contact from a customized helm chart to a fully managed Postgres service on azure, and then I have to put the url connection string according to the app I want to deploy.
I want to ask which value should be the DATABASE_URL at the helm chart deployment?
My situation is the following:
I want to use an external Azure managed PostgreSQL and no the PostgreSQL container that comes with the helm chart.
So in consequence, I modified the DATABASE_URL value, given here to connect to the container inside K8s, I've modified in this way:
name: DATABASE_URL
# value: "postgres://{{ .Values.postgresql.postgresqlUsername }}:$(POSTGRESQL_PASSWORD)#{{ .Release.Name }}-postgresql"
value: "postgres://nmbrs#postgresql-nmb-psfc-stag:$(POSTGRESQL_PASSWORD)#postgresql-nmb-psfc-stag.postgres.database.azure.com/postfacto-staging-db"
but I am getting this error
/usr/local/lib/ruby/2.7.0/uri/generic.rb:208:in `initialize': the scheme postgres does not accept registry part: nmbrs#postgresql-nmb-psfc-stag:mypassword*#postgresql-nmb-psfc-stag.postgres.database.azure.com (or bad hostname?) (URI::InvalidURIError)
Which should be the real DATABASE_URL value if I want to contact to a fully Postgres managed service?
Which is the equivalent value to this?:
value: "postgres://{{ .Values.postgresql.postgresqlUsername }}:$(POSTGRESQL_PASSWORD)#{{ .Release.Name }}-postgresql"
I mean is
postgres//<username>:<my-pg-password>#<WHICH VALUE SHOULD BE HERE?>
What is the value of {{ .Release.Name }}-postgresql" ?
Just for the record, my customize postfacto/deployment/helm/templates/deployment.yaml is this
UPDATE
I changed the value for this
- name: DATABASE_URL
# value: "postgres://{{ .Values.postgresql.postgresqlUsername }}:$(POSTGRESQL_PASSWORD)#{{ .Release.Name }}-postgresql"
# value: "postgres://nmbrs#postgresql-nmb-psfc-stag:$(POSTGRESQL_PASSWORD)#postgresql-nmb-psfc-stag.postgres.database.azure.com:5432/postfacto-staging-db"
value: "postgres://postgresql-nmb-psfc-stag.postgres.database.azure.com/postfacto-staging-db"
And I got a different error:
Caused by:
PG::ConnectionBad: FATAL: Invalid Username specified. Please check the Username and retry connection. The Username should be in <username#hostname> format.
FATAL: Invalid Username specified. Please check the Username and retry connection. The Username should be in <username#hostname> format.
But is not clear how should be the syntax format since this article says:
Next, encode the database credentials. Use the format DB_ADAPTER://USER:PASSWORD#HOSTNAME/DB_NAME. If you are using mysql with a user ‘deploy’ and a password ‘secret’ on 127.0.0.1 and have a database railsapp, run
The format DB_ADAPTER://USER:PASSWORD#HOSTNAME/DB_NAME, it is the same I was using at the beginning
I think the problem with your connection string is, its username has a special character #, which might be breaking the connection string format and causing the validation error.
Your value
- name: DATABASE_URL
value: "postgres://nmbrs#postgresql-nmb-psfc-stag:$(POSTGRESQL_PASSWORD)#postgresql-nmb-psfc-stag.postgres.database.azure.com/postfacto-staging-db"
You can try to do an URL encoding for the username part like
- name: DATABASE_URL
value: "postgres://nmbrs%40postgresql-nmb-psfc-stag:$(POSTGRESQL_PASSWORD)#postgresql-nmb-psfc-stag.postgres.database.azure.com/postfacto-staging-db"
From what I see this helm chart is poorly written, and badly assumes things i.e. the DATABASE_URL has is build to only properly format a kubernetes posgress helm release and nothing else.
What I would suggest:
Instead of installing this chart on k8s by helm, use helm template functionality to locally render the template.
Edit the exported plain manifest, to match your needs
Go to your Azure DB, and get it ConnectionString, depending on how you mange your secrets in k8s, pass it to the DATABASE_URL environment
Manually apply the manifests
I have an old website that I created a folder that's protected with htpasswd. However, it's over a decade old, and I have since forgotten the password. I wish to access the contents of the folder. I'm able to view the directory contents via the control panel, but I'm unable to access the individual protected files.
I have access to the htpasswd file, and it has lines of user:password, where the password seems to be hashed (13 characters, uppercase/lowercase/digits). I tried loading it into John and it detects it as CRYPT, but was unable to crack it even after a few hours. Are there better ways of accessing the files? Given server access, can I reset/remove the password protection? Or, failing that, are there better/faster ways of brute forcing the password hash?
So you have SSH access to the server, but don't remember the values used to generate the passwords stored in the htpasswd file so you can't access them via control panel?
You could just login and rename (disable) the .htaccess file:
$ mv protected_dir/.htaccess protected_dir/.old.htaccess
If you want to crack the old password first read this: https://www.slashroot.in/how-are-passwords-stored-linux-understanding-hashing-shadow-utils to understand the password format.
Then basically you can use John, but you have to take the password file and append the salt to each password.
$ john --wordlist=passwd_salted.txt passwords_to_crack.txt
Good luck!
I'm running Ubuntu 16.04.2 LTS. When I set up postgres on this box, I thought I entered my username / password in either .bashrc or .profile. I've checked both though and see nothing related to postgres. I also looked at pg_hba.conf but nothing in the way of password / username either. I have no problem accessing pgsql or creating databases and have the username and password.
However, I've been hard coding in the username / password into the development apps. I want to stop that now, so while I have a yaml file with
development:
adapter: postgresql
database: development
username: <%= ENV['PG_USER'] %>
passowrd: <%= ENV['PG_PASS'] %>
host: localhost
I'm not sure how to write the variables and where to store them. I did some searching on this before asking, and some of the info was a bit confusing and more importantly, varied.
Side note - I know database.yaml may not be the best or only option, for now it's the one I'm staying with though.
Storing usernames and passwords into environment variables is unsafe since environment is meant to be accessible and is shared between running programs. Simply store the username and password into yaml file. You can crypt the values if there is a change of non-admin persons to see them.