I'm writing a python program which allow user to login to it. I don't want to implement my own authentication but would rather take advantage of the OS(linux) mechanism. That is, when the user is trying to sign in my app by inputing username/password pair(which should be a valid OS user), I need to authenticate the pair by the OS. How to do that ? It may need the subprocess module, yet I've tried with no luck.
Try using PAM via Python PAM or similar
That should be possible by having your script read the /etc/passwd and /etc/shadow files, which contain details about usernames and passwords on a Linux system. Do note that the script will have to have read access to the files, which depending on the situation may or may not be possible.
Here are two good articles explaining the format of those files, which should tell you everything you need to know in order to have your script read and understand them:
Understanding /etc/passwd File Format
Understanding /etc/shadow File Format
By the way, when it talks about encrypted password, it means that it has been encrypted using the DES algorithm. You'll probably need to use pyDes or another python implementation of the DES algorithm in order for your script to create an encrypted password that it can compare to the one in /etc/shadow.
Related
I am going to start a new python project with web scraping, data analysis and etc... This implies making some logins in emails and data websites. I would like to know how can I avoid putting plain text password in my python scripts? Because I understand this is not very secure to have your password readable somewhere.
I have found a method using cryptography library that encrypts your password and generates a secret key that can decrypt it but I think it is not a good idea because as soon as a put the secret key in the script, someone can decrypt my password.
https://www.linkedin.com/pulse/encrypt-passwords-python-scripts-lee-rock/
Also, some people say to create a file named secret.py and stores there all passwords I need. When I have to use it, I can import this file and get the password. Consequently, this is not good too because there is a file full of readables passwords.
None of all these results were not satisfying.
In my case, I would like to share my code without leaking my passwords.
I am writing a script that is going to be ran as a scheduled task every morning. The program pulls encrypted usernames and passwords from a SQL Database and will need to decrypt them. My question is, is there any way for me to store the encryption/decryption key for the script to use without expecting a user input such as a password? Ideally the script should run completely autonomously.
The most flexible idea as stated by #EugeneProut would be to use env variable. I would like to extend that it also provides the best security. Then You can simply access the variable by using the code as below:
import os
print(os.environ['ENCRYPTION_KEY'])
This solution is the most production-like, since gives the best possibility to provide the key securely for example as secret.
OK, i was unable to find this same question anywhere.. So i apologize in advance if this has been asked before.
My need is to have a script ssh into other devices at different times, to do this I need to store a password. I don't want to use plain text or base64, but I would be OK with hashing the password and I have no issue doing that. The issue is I don't know how to get the hash to be sent to the devices as a password. It just sends the hash and the login gets denied.
This is the hash script that writes to a file:
import getpass, hashlib, os
pwf = open('hashes.txt', 'w')
password = getpass.getpass()
hashpass = hashlib.sha256(password).hexdigest()
pfw.write(hashpass)
This is the 2nd script that I can pull the hash out of the file, but its still a hash.
hashes = open('hashes.txt', 'r')
for pw in hashes:
passwrd = pw.strip()
password = passwrd
Thats all fine and dandy, but the I cant login with the hash.. Im sure im doing something fundamentally wrong here. please let me know.
Also i left out the other ssh code as I didnt think it was relevent.
The entire point of a cryptographic hash is that it isn't feasible to reverse it into the original password. If you need to send the actual password, a hash will not work for you; you'd need to use an actual encryption algorithm - but then you run into a similar problem of how you store the encryption key you're using to store the password.
Either way you need a way of securely storing data on your local system that other unauthorized users can't access. Typically this is done by using key-based ssh authentication and storing the key with permissions that make it inaccessible to other users. This essentially skips the unnecessary step of encrypting/decrypting a password and instead just uses the encryption key as the authentication mechanism for ssh.
Note that there exist Python libraries that are designed for the kind of task you're doing (sshing to remote systems and running commands automatically) - fabric is one of them.
I'm trying for 2 days now to write a custom PAM script which authenticates under Linux with sys user and pass.
I made examples in C, Python and Perl but I have the same problem with all of them.
When I test the script in my shell everything works well.
I test them with
# ./script;echo $?
And get 0 or 1 back.
But as soon as I try to use it with mod_authz_external and Apache it stops working.
Even with a valid user I get an 1 back and are not able to log in.
It seems that there is a problem with PAM and maybe the Apache environment.
I read somewhere that I have to set the environment variables to use PAM but I have no clue how.
Here are examples in C, Perl and Python:
C: http://pastebin.com/v9Yn9xvK
Perl: http://pastebin.com/cqzqztYg
Python: http://pastebin.com/32cvvCjS
Choose whatever you like, they work all the same... returning the exit code 0 or 1.
Every help or hint would be appreciated.
Thanks!
If you're authenticating a system user with PAM, then it's going to go through libpam_unix.so. From the manpage of pam_unix:
A helper binary, unix_chkpwd(8), is provided to check the user's password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it.
So if you want to authenticate users from a webserver, you're most likely running as user 'apache' or something like that. All pam_unix can do for you is authenticate user 'apache', which is most likely not what you want. pwauth must somehow bypass this restriction.
I have a system (actually it is a set of shell scripts) which has a lot of instances on different servers in different test stages (dev, uat, prd). Scripts need use some passwords for authorization in for example database (btw each environment has its own passwords).
I have a deployment system, therefore I'm able to hold passwords in repository to not to update them each time manually.
But it's completely unacceptable from security point of view to store them as plain text.
I could develop a solution myself using gpg (to hold each password in gpg encrypted file with pub certificate of target environment), but I'm not sure it's the best way.
Is there any existing opensource solutions for password storage which are better than own solution with gpg?
It seems you are looking for Password store. You can have a look into vault 0.2
PyCrypto.Blowfish should be very nice for that purpose:
https://www.dlitz.net/software/pycrypto/api/current/Crypto.Cipher.Blowfish.BlowfishCipher-class.html
Although you'd have to specify key manually on each startup of your "password server" obviously.
PyCrypto is a well known and mature library for this kind of thing, and should do what you are looking for.