I'm trying to debug my spring-security-kerberos web app that runs on tomcat6 on Centos5.5
and have a service principal in a keytab that i generated on a windows 2008 AD. I would like to test the keys outside of tomcat to help isolate the problem (Spring does not fine the keys)
i can list the keys with the ktutil program and see the principal in in the table but cant verify that it actually works.
I was flipping through old questions and stumbled across this one. So you've already listed the keys with kutil. To verify that the principal inside the Kerberos key table file actually works, you can run this command: kinit -k -t <key table file name> <SPN>.
For instance, if you have an SPN of HTTP/somehost.mydomain.com and a key table file name of myfilename.keytab, your command will be:
kinit -k -t myfilename.keytab HTTP/somehost.mydomain.com
This is a simple Kerberos test fully outside of Tomcat (which meets your requirement), and verifies that your DNS, AD, krb5.conf, and keytab (including principle inside) are all set up correctly.
Related
I created a Weblogic generic container for version 12.1.3 based on the official Docker images from Oracle at https://github.com/oracle/docker-images/tree/master/OracleWebLogic/dockerfiles
Command: buildDockerImage.sh -g -s -v 12.1.3
This creates the image oracle/weblogic:12.1.3-generic
Using a modified version of sample dockerfile for 1213-domain, I built the Weblogic container.
Note: changed the base image to be generic, instead of developer
docker build -t 1213-domain --build-arg ADMIN_PASSWORD="admin123" -f myDockerfile .
Pushed the built image to Amazon ECR and ran the container using the AWS ECS. Configured the port mappings as 0:7001, set memory soft limit as 1024, nothing else changed in default ECS settings. I have an application load balancer in the front, which receives traffic at 443 port and forwards to the containers. In the browser I get a login page for Weblogic, when I enter username as weblogic and password as admin123, I get the error:
Authentication Denied
Interestingly when I go to the container and connect to the weblogic using WLST, it works fine.
[ec2-user#ip-10-99-103-141 ~]$ docker exec -it 458 bash
[oracle#4580238db23f mydomain]$ /u01/oracle/oracle_common/common/bin/wlst.sh
Initializing WebLogic Scripting Tool (WLST) ...
Jython scans all the jar files it can find at first startup. Depending on the system, this process may take a few minutes to complete, and WLST may not return a prompt right away.
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline> connect("weblogic","admin123","t3://localhost:7001")
Connecting to t3://localhost:7001 with userid weblogic ...
Successfully connected to Admin Server "AdminServer" that belongs to domain "mydomain".
Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.
wls:/mydomain/serverConfig>
Any hints on what can be going wrong?
Very interesting indeed. :) .. You are sure there is no special characters or so when you entering the username and password. Try typing the same if you are coping.
Also as backup, since you are able to login to WLST you can try two option.
Resetting the current password of weblogic or try adding new username and password.
below link will help
http://middlewarebuzz.blogspot.com/2013/06/weblogic-password-reset.html
or
http://middlewaremagic.com/weblogic/?p=4962
I have seen similar questions, but nothing helped.
Like here:
SSH login with no authentication
SSH session without ANY authentication
My problem is as the question states. I want to setup ssh to work without any password prompt or any keys. Means, doing
ssh computer#IP_address
should give me access to the remote machine.
Question ends here^^^^^^^^^^^. Details of what I'm trying to achieve:
I have a docker image of Ubuntu in which I'm trying to install ssh. This has 2 reasons: easy file transfer using scp and the other is, that I sometimes, by mistake I close docker without committing and end up losing all my progress/data. So I want to make it such that I run the docker container in the background and only access it using ssh. Also, I am working in a team and I'll need to some other outside people(who download my docker image) to be able to work with it easily as well, which is why I want it to be ssh-accessible without a login.
You should look at setting PermitEmptyPasswords to yes in your sshd_config file and restard sshd service.
PermitEmptyPasswords
When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is ''no''.
I'm using the Trans Union New Access system to run credit reports. I'm doing this on my Windows 7 64 bit development machine.
I have a Web Application (web forms) project that uses the system. In one button, I have the following code:
CreditReportRequestXML requestXMLSupplier = new CreditReportRequestXML();
requestXMLSupplier.RunPendingRequests();
This code calls a method in another project that I coded myself. The code constructs XML that is posted to Transunion. I get perfectly good responses.
I have another project that's a Windows service project. The relevant code in this project is:
CreditReportRequestXML requestXMLSupplier = new CreditReportRequestXML();
requestXMLSupplier.RunPendingRequests();
When the account that the service runs under is my account, this works just fine. The service is installed as a service and can be started and stopped with the Services console.
So far, so good.
Here's the bad. When I configure the service to run under the Network Service account, I get the following error:
Could not create SSL/TLS secure channel.
I've been trying to use winhttpcertcfg to fix the problem. I've tried -
winhttpcertcfg -g -c LOCAL_MACHINE\My -s ******** -a "Network Service"
(where ******** is the subject name of the certificate. I can see this name when I debug my service using ?clientCertificate.SubjectName.Name)
I've also tried
winhttpcertcfg -i certfile.p12 -c LOCAL_MACHINE\My -a "Network Service" -p pwforcert
(where certfile is the file name - note that the file I have is a p12 file, not a PFX file; pwforcert is the password I used to create the system client on the Trans Union site.)
The service fails with the message above after trying both commands. When I list accounts that should have access to the private key using
winhttpcertcfg -l -c LOCAL_MACHINE\My -s MyCertificate
the output shows the correct matching certificate, and says 'Additional accounts and groups with access to the private key include:', and lists NT AUTHORITY\NETWORK SERVICE as one of the accounts.
The reason I want to use Network Service to run the service is that my boss wants me to do this. I talked with our network guys today, and they don't have an account on our servers that has administrative privileges.
What am I missing? Or, is there some other way around this problem?
I wound up exporting one of the certificates to a PFX file, including the Private Key and all related certificates. This could only be done from one or two of the certificates on my machine. I then deleted all TU certificates. The winhttpcertcfg -i filename.pfx -c LOCAL_MACHINE\My -a "NETWORK SERVICE" -p **** was used. That worked.
What i am trying seems quite simple, but i cant really get my head wrapped around what i need to do:
Inside a job, i have a build-step that executes shell-commands. This shell command tries using the Jenkins CLI.
So basically it says "java -jar theCliFile -s jenkinsURL / command
So inside of a job, i am trying to make a SSH connection to the jenkins-server itself.
This fails, console output says that "[WARN] Failed to authenticate with your SSH keys. Proceeding as anonymous
You must authenticate to access this Jenkins.".
I could provide a username and password as clear text inside of the shell, but i would like to avoid that.
What do i need to setup in order to allow an automatic authentication? I don't understand who needs what kind of keys.
The Jenkins CLI Wiki says to configured a /me/configure user. I just don't see how this makes sense. I guess this was meant to be for use cases where someone tries to build a SSH connection from a remote machine, not from the Jenkins itself, as in my case.
Actually, i solved it myself:
I had both a private and public key on the Jenkins-Server (incase you don't have those, just generate them on the server machine that the Jenkins runs on (there are tons of tutorials on how to do so out there)).
To allow what i was trying in my question, i had to take the public key and enter it in some user existing for the jenkins-application.
As far as i understand, entering the Jenkins Servers public key in any user will make the SSH request authenticate as this user and thus the shell will have the rights of said user.
I have one windows service which will use plink.exe for SSH connection and I found that Plink cannot find the running Pageant.
Here is the steps I have done so far.
Install Windows service to run as particular user
Before starting Windows service, I log in as that user and start Pageant with PuTTY generated key.
Then I start the Windows service (but I can't manage to make it work since Plink cannot find Pageant and server reply as No supported authentication methods available.)
Note: If I run Windows service as console application with that user, everything is working fine.
PLink will be run in Service session (Session\0) while pageant runs in user session (Session\1). Plink uses some interprocess communication which, as it looks from your problem, doesn't work across sessions. Most likely there's MMF communication inside and objects are created without prefix, i.e. they become session-only (not global). You would need to build custom version of plink to solve the problem.
Pageant explicitly allows feeding keys to an application (PuTTY, PSFTP, PSCP, WinSCP, FileZilla) running in the same Windows session only. This is obviously for security reasons, not to allow a different user on the same machine hijack private keys loaded by another users. And even for convenience (ironically), so that you do not inadvertently use keys of a different user (leading possibly to having your account locked due to invalid login attempts).
Also note that the Pageant is not intended for an automation anyway. For the automation, use the private key explicitly, using the -i command-line parameter.
See https://the.earth.li/~sgtatham/putty/latest/htmldoc/Chapter3.html#using-cmdline-identity
Such private key have to be unencrypted. Note that this imposes security risk, if someone gains access to the key. You should consider restricting an access to the unprotected private key file to the local account that runs the script only (using Windows file system permissions).
As #Eugene point out, it is Session 0 Isolation.
I managed to solve the issue by not using agent but directly passed the private key and password to plink.exe. By doing that, I'm able to run without using pageant.
To start plink.exe without agent;
plink.exe -noagent -i private_key.ppk -pw mypassword -P 1234 user#host.com