There is a network where users are using PPPoE to establish connections to the Access servers. We have lost the billing system and users' DB. The only condition that we know is that 'Valid credential should be credential where username and password are the same value. (i.e. username: johnsmith, password: johnsmith)'.
We'd like to recover access to the Internet asap.
Setup that we have now: Ubuntu 2004, accel-ppp, freeradius3. Everything works fine but we have to add a record for each user to raddb/mods-config/files/authorize file.
user1 Cleartext-Password := "user1"
user2 Cleartext-Password := "user2"
userN Cleartext-Password := "userN"
Updated: Is that possible to avoid manually adding users? The script should verify credential assuming that username and valid password are the same value.
This is trivial to do in unlang, FreeRADIUS's configuration language.
The "known" clear password to be matched in FreeRADIUS must be made available in the Cleartext-Password attribute. This is where it will generally be placed after a successful database lookup.
As you know the User-Name, you can update the password to match it. In sites-enabled/default you can add:
update control {
&Cleartext-Password = &request:User-Name
}
Adding this right at the bottom of the authorize{} section, and using = above (rather than :=) means that the Cleartext-Password attribute will only be changed if it hasn't previously been set by some other method, ensuring that as you add entries back into a database they will take precedence.
Authentication will then compare User-Name to Cleartext-Password; they will of course match so access will be permitted.
At my company we're designing a new flow for our user to register. User and Company are very closely tied to each other. Due to several reasons we can't create the user and the company one after the other but we need to create them at the same time.
However as our form is on several steps, we collect all the user input in a separate Registration model in a jsonb attribute and then create the user and company at the end of the process from this intermediate model.
One of the problem is that we collect the user password. However as we're storing the registration in our database, the password is exposed.
How would you try to protect this?
EDIT: We're using Bcrypt to encrypt password
I have not tried this but I guess this will work. You can use the following code to encrypt the password before storing it as intermediate json.
my_password = BCrypt::Password.create("my password")
If you have designed the User model properly, there will be a password_digest field in your table. So while saving encrypted password, use:
#user.password_digest = my_password
instead of
#user.password = my_password
where you expect encryption to take place in the background.
This question already has answers here:
How do you prevent duplicate user properties in Firebase?
(2 answers)
Closed 6 years ago.
I am a newbie to Firebase so any hint will be appreciated. Right now I am using Firebase Login & Auth to handle all the authentication for me. But I want to store some user data, like username DOB, created_at... I have created a users node, and I am appending children nodes to users using the unique id I get on sign up or login. However I want to ensure that there are no duplicate usernames in the system. How can I check if a username already exists before writing to the server?
I'm currently investigating the same thing. My issue is that I also want persistence enabled, so I need to be aware of what can be accessed offline. If you're using persistence, I would also recommend disallowing particular operations such as checking username existence if your client is offline, which you can do by listening to ".info/connected" as further detailed here:
https://firebase.google.com/docs/database/ios/offline-capabilities#section-connection-state
My personal workflow for this is as follows:
Login to user's account
Check if the user already has a username
Check the firebase database to see if their user details includes a username:
DB/users/*userUID*/username != nil
If they don't have a username, then prompt them to set a username.
When they set their username, check if the username exists in:
DB/usernames/*username*/ != nil
If it doesn't exist, then write the username and userId in the two database locations checked above.
eg.
user.uid = wewe32323
username = scuba_steve
DB/usernames/scuba_steve = wewe32323
DB/users/wewe32323/username = scuba_steve
So now you have the DB/usernames reference that you can check quickly to see if anyone has a username already, and you also have DB/users/ where you can quickly find a username for a given user.
I won't say this is fool-proof, as I still a few concerns around concurrent requests. My current issue I'm investigating is that lets say you delete the username association to a particular user, the user can depend on their local copy of the database to incorrectly assert that they are still assigned to that username.
You could look into the database write rules to disallow anyone to modify existing data (enforcing that you can only write to the DB/usernames directory if there is no existing data. This would prevent overriding of whoever sets the username first, which I think is an important step.
It may also be worth investigating Transactions:
https://firebase.google.com/docs/database/ios/save-data#save_data_as_transactions
But I believe correct write rules as mentioned in the paragraph above should allow dependable writing.
You can check if the username is stored like this:
let username = "fred"
self.ref.child("users/\(username)").observeSingleEventOfType(.Value, withBlock: { snapshot in
if snapshot.exists() {
If the snapshot returned in the closure exists, then the username "fred" exists.
I have a current system that creates database users in my MSSQL database. These users can connect to the database with other clients we've written. I need to challenge the user to enter the username and password that is already defined in the SQL Server Security/Logins of the database.
I'm able to connect to the database and create tables with rails, I just can't find any information on how to authenticate against the database I'm connecting to.
We have a table in our schema already that has the user information such as usr_name, usr_desc, usr_email, etc.
Assuming you do no hashing and you user model is set up correctly in rails you can use
#assuming your table/model is called user your user name field is called user_name and your password field is called password
user = User.find_by_user_name_and_password
if user
#do authenticated stuff
else
#don't do authenticated stuff
end
Check out http://guides.rubyonrails.org/active_record_querying.html
Down toward the bottom it talks about dynamic finders. These are created for each field in the rails models. That's what makes sql querying in rails a cinch.
I am looking to implement a Forgot Password feature on my website. I like the option where an email containing a temporary one-time use URL that expires after some time is sent to the user.
I have looked at the following pages to get these ideas but I am not sure how to implement this using ASP.NET and C#. As one of the users indicated, if I can implement this without storing this information inside the database, that will be ideal. Please advise.
Password reset by emailing temporary passwords
Thanks.
Probably the easiest way is going to be to modify your users table to add 2 extra columns, OR if you don't want to modify the existing table you could add a new dependent table called "UserPasswordReset" or something like that. The columns are like this:
PasswordResetToken UNIQUEIDENTIFIER,
PasswordResetExpiration DATETIME
If you go with the additional table route, you could do also add the UserID column, make it a primary key and a foriegn key reference back to your users table. A UNIQUE constraint would also be recommended. Then you simply use a Guid in your asp.net application as the token.
The flow could be something like this:
User requests password reset for their account
You insert a new record in the table (or update their user record) by setting the PasswordResetExpiration to a date in the future (DateTime.Now.AddDays(1)), and set the token to Guid.NewGuid()
Email the user a link to your ResetPassword.aspx page with the guid in the query string (http://www.yoursite.com/ResetPassword.aspx?token=Guid-here)
Use the ResetPassword.aspx page to validate the token and expiration fields. (I.E. Make sure DateTime.Now < PasswordResetExpiration)
Provide a simple form that allows the user to reset this password.
I know you wanted to avoid modifying the database, but it really is probably the simplest method.
#Alex
You can also use System.Security.Cryptography classes in .NET for the hash algorithms. For example:
using System.Security.Cryptography;
...
var hash = SHA256CryptoServiceProvider.Create().ComputeHash(myTokenToHash);
...
Here, the System.Guid class in your friend, as it will generate a unique (well, unique enough) 128-bit number:
Generate a new Guid ( System.Guid.NewGuid() )
Store that Guid somewhere (Application object maybe?)
Send a custom URL in an email with that Guid
When the user hits the site, make them enter the password you sent in the email
If the passwords match, go ahead and force them to enter a new password
I used a Hashing Class to create unique automatic logins made up of the current date/time and the users email address:
string strNow = DateTime.Now.ToString();
string strHash = strNow + strEmail;
strHash = Hash.GetHash(strHash, Hash.HashType.SHA1);
get the Hash Class from: http://www.developerfusion.com/code/4601/create-hashes-md5-sha1-sha256-sha384-sha512/
Then just take it from the URL using:
if (Request.QueryString["hash"] != null)
{
//extract Hash from the URL
string strHash = Request.QueryString["hash"];
}
I would definitely include the database in this process. Once a reset is requested, it's a good idea to indicate that the account is locked out.
For example, if you are changing your pw because you think your account may have been compromised, you definitely don't want it to remain accessible while you go about the change process.
Also, inclusion of "real" information in the reset token could be decoded if someone really wants it and has the horsepower. It would be safer to generate a random string, save it in the db in the row for that user, and then key back to it when the link is clicked.
This gives you two things:
1) There's nothing to decrypt, and therefore nothing of value can be gained from it.
2) The presence of the token in the user record indicates that reset is in progress and the account should be treated as locked out.
The goal of sending some data|string to user email is validation of account owner. Please care about some points:
Avoid sending important information in reset or activate link.
It's best way to store unique string data conjunction with user
account and send it as that link. but be aware if you send just one
section as link to user email and just check it in page, your
application may be in dangerous by brute-force or dictionary
attacker. It's enough to check a list of string to find some links
and change password. I know that has a little chance, but not zero.
Result:
I think it's better if you
combine user email with string link then encrypt them
(not hash because hashed value can't be reverse) and send to user
email.
User click and your page get the encrypted value.
decrypt value.
extract user email.
find email in database.
compare string from received link with other one attached to user
email in database.
Good luck.
I'd use a hash code to validate details in the password reset url. This can all be done without writing anything to the DB or sending any privileged info to an attaker.
To briefly explain normal password salt and hashing; say the salt is 1111 and the pasword is password, you'd concatenate the two and hash the string 1111password, say this gives you a hash of 9999, you'd then store the original salt 1111 and hash 9999 in your user record.
When you are validating a password you use the stored salt, concatenate the password attempt, hash it and compare with the stored hash. For example asecret becomes 1111asecret but hashes to 8888. This doesn't match the original hash so the password match fails.
Of course the salt and hash would normally be properly generated and calculated with established crypto libraries (don't invent your own!).
For the password reset URL I'd put in the unique identifier for the user, i.e. email address, the date the request is made, and a new hash. This hash would be generated from those details concatenated together plus the salt and hash already stored for the user.
For example:
Email: user#example.com
Request Date: 2014-07-17
Salt: 1111
Hash: 9999
Generate a new hash of those concatenated, i.e. 'user#example.com2014-07-1711119999', say this gives a hash of 7777.
The URL I then generate would then have the email, request date and the new hash:
https:\\www.example.com\ResetPassword?email=user#example.com&requestdate=2014-07-17&hash=7777
The server will combine the email and supplied date with it's salt and hash and confirm the hash it generated is the same as the supplied one. If this is Ok then it will show the reset form with the same three parameters hidden behind it, otherwise an error. These get resubmitted and rechecked when the new password is entered to prevent that form being spoofed.
The email address needs to be supplied to make the request and it is only sent out in an email to the same address. the date is hardly priveleged info and the hash is not reversible so gives nothing anyway. Nothing has been written to the database and any tampering with the parameters causes the hash to fail and the URL to report an error.
There is an issues with this approach. A safe hash makes the token really long. Either you integrate the salt into the hash itself (makes it about 20 charactes longer), or you store this unique salt in the database. If you store the salt in the database, you could as well store a random token which is not derrived from any existing
Depending on your needs, you could encrypt information, in a format similar to the following format
(UserId)-(ExpireDate)
Encrypt the data, make that the link, then decrypt the data and take action from there...
Crude, but most likely usable, and not requiring DB usage