I have MySQL proxy running and I have a LUA with a function for read_auth() however the passwords that are passed during authentication are hashed (as expected).
I require them in a format which I can work with and post onwards, so cleartext. Enabling the cleartext plugin on the MySQL client has no effect, I suspect that MySQL proxy is not demanding the client sends it in cleartext so defaults to hashing.
So basically: do you have any ideas on how I would be able to get the clear text authentication details within the read_auth() function of MySQL proxy?
Note: my end goal is to auth with LDAP, however the only way I can get a password (hashed or not) is by actually binding to LDAP, it can not be obtained by searching.
The MySQL network protocol does not allow passwords to be sent in clear-text, all you could capture is the encrypted version.
However, if you are trying to send (from the client to the server) cleartext, the client side clear text plugin should work...
As of MySQL 5.5.27, to make inadvertent use of this plugin less likely, it is required that clients explicitly enable it. This can be done several ways:
Set the LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN environment variable to a value that begins with 1, Y, or y. This enables the plugin for all client connections.
The mysql, mysqladmin, and mysqlslap client programs support an --enable-cleartext-plugin option that enables the plugin on a per-invocation basis.
The mysql_options() C API function supports a MYSQL_ENABLE_CLEARTEXT_PLUGIN option that enables the plugin on a per-connection basis. Also, any program that uses libmysqlclient and reads option files can enable the plugin by including an enable-cleartext-plugin option in an option group read by the client library.
Alternatively, there are a few other options to authenticate with LDAP. For example, you could use the PAM Authentication Plugin that will let you use any available PAM module to provide authentication services, and there is a pam_ldap module that is easy to configure.
You could also look into using roles and mapping the usernames to roles, so you would have a few roles with permissions and many usernames mapped to those roles. You can find further information on that here.
Further Resources:
Cleartext Authentication Plugin
PAM Authentication Plugin
MYSQL Password Hasing
MySQL Proxy Role Based Authentication
Related
I am trying to configure a user defined parameter on a Windows host. All my hosts are configured with PSK encryption and Zabbix server is able to get data without any issues.
However I cannot figure out how to use the zabbix_get manually with PSK encryption enabled.
zabbix_get -s x.x.x.x -p 10050 -k "internet.connection.check" --tls-connect=psk --tls-psk-identity="name" --tls-psk-file=cannot find any psk file on zabbix server
The problem is I cannot locate any PSK file on the zabbix server. Can I pass the PSK somehow?
The serverside PSK is configured in the GUI and stored in the database.
The Zabbix agent stores the PSK in a file.
I see 3 options:
Manually create a psk-file.
Remember that a change of the key must be done in the GUI, at the agent and in your special file.
Make a script that reads the key from the database.
Remember that direct access to the database of an application is most times forbidden and can cause compatibility issues after updating the application. Read-only access should be possible.
Use the same keys for all your agents;
When you install a Zabbix Agent on the Zabbix Server (allowing you to monitor the server), you do have a file on a normal place.
I wouldn't try to use an API or some smart script during Discovery, this will make the solution hard to maintain. I withdraw my last remark, when you have thousands of servers to monitor and a team working with Zabbix.
I want ejabberd (ejabberd 14.12) to use Dovecot's table 'users' for authentication (which is done already) but keep all ejabberd's data in different mysql database.
Is there anything, like autocreation option? For example, if user was successfully authenticated via external script, create that user in ejabberd's database? Or I have to make this up by my own? Im new in ejabberd
For authentication, I have this in ejabberd.yml
auth_method: external
extauth_program: "/opt/ejabberd/bin/auth_mysql_dovecot.php"
Will this allow me to use odbc as back-end?
I went the simple way.. What I needed is a local replacement for gmail+google chat for corporate users:
Dovecot with mysql authentication
Roundcube with plugin converse.js
Ejabberd with external auth:
auth_method: external
extauth_program: "/opt/ejabberd/bin/auth_mysql_dovecot.php"
Here is my auth_mysql_dovecot.php script. It doesn't use SASL to connect to dovecot. Its just simply connecting to dovecot mysql database. Important: Dovecot password encryption MUST BE 'CRAM-MD5'. Sorry, its the third version of the script. I didn't put the notes, where did I steal the code
No any registration needed. Once users login to their roundcube, they automatically will be logged into to ejabberd. Similar to google chat. If they change their passwords for Dovecot/Roundcube, the password will be changed for ejabberd as well.
I just let ejabberd to use its own native database
I'm working on an application in VB.NET that has to connect to a MySQL database and FTP. How secure is it if I used it in an application that I gave to other people. E.g. if I was to let other people use this application would they be able to find out the MySQL and FTP connection details through intercepting packets or something like that?
If that's the case how can I work round this? Also, part of my application is an uploader for users to upload files, is FTP secure for that or are there better alternatives ways in doing that? My server is a Windows Server 08 if that makes any difference.
Thanks in advance.
FTP is plaintext. It is very easy to get user names and passwords just by packet sniffing. If the ftp is supposed to be secure rather look ay sftp or ftps solutions. These use SSL type encryption on the network layer. Never ever use a ftp server for sensitive information.
MySQL traffic can also be sniffed though it is considerably harder to reverse engineer the protocol. If data has to flow between client and mysql in a secured fashion you can configure mysql to use SSL certificates to encrypt the information. This will ensure security is of highest standards.
It depends, but as per Accessing SQL Server with Explicit Credentials article and it is applicable to MySql as well:
The recommended method is to store the predetermined user name and
password on the server, and then read it and add it to the connection
string at run time. An advantage of this technique is that your
application can access the database using different credentials under
different circumstances, depending on what it needs to do in the
database.
Security Note Never hard-code credentials as strings into programs in your application. Anyone who can get access to the code
file, even the compiled code, will be able to get at the credentials.
Security Note Always give a predetermined user name the minimal access privileges to a resource. Never use "sa" or any other
administrative-level user name. Always use passwords
I am working on a site that will be using HTML5 sockets to communicate with other server. At that time our users will be logged in , I can't code on other server . I am using PHP at server side. I don't know whether other server has even PHP or not. Client says PKI is a solution. So if user login on our server then I start their communication with HTML5 sockets towards other server to send and receive data. So how can other server authenticate them? I also think that I can have a userkey (like 32hash format) that is sent with HTML5 socket while communication that other server validate and then start working with that user. So client says that hacker can see data over network so I think SSL can work for it. What you guys suggest in such scenario? Please advise
More details:
There will be connection made between our users and another server using apache thrift(will be using TCP), and scenario is that user will login to our site, then we will connect them via HTML5socket to apache thrift on different domain, so in HTML5socket communication we will be forwarding userid to tell thrift server that which user is this, so it is fine. But there are two problems,
As HTML5sockets are at client side then a hacker can create his/her own socket and connect to that server in same way and use some one's id as these are just simple integers.
If we will append some thing in data then a hacker sitting on the network can get it like some hackers do this for session hijacking.
So that's why I am not sure that whether using a sort of SSL or TLS will solve the problem or some PKI or some other digital certificate. So that's why I am asking that here.
thanks
SSL cannot solve this problem. SSL is about creating a secure link between the client and server, it does absolutely nothing to protect the server from a malicious client. SSL cannot solve the problem of SQL Injection or in your case Insecure Direct Object Reference relating to the user id. Judging by this SSL suggestion you probably have never heard of TamperData, which allows you to read/intercept and modify all HTTPS traffic generated by your browser (Including components like flash and JavaScript), BURP is more advanced but does the same thing.
The right way to do this is to have a shared session store that your collection of servers can access. The client is issued a very large random number or cryptographic nonce that it uses as a verification token, which is kind of like a session id. This verification token is used to look up session state in the data store. The communal session store could be as simple as a PHP page that accepts the verification token as a parameter and tells you if its linked to a valid session.
Having 3rd parties issue a callback to verify the session is really the "right way" to do this. It is possible to do this with cryptography, although it is a misuse of cryptography because it introduces the possibility of an attack, where as a callback is absolute. The PHP server can issue the JavaScript client an HMAC token consisting of the user id, a timestamp and the message authentication code. The tricky part is that both the PHP server and any 3rd party will have to share a secret in order to verify the message authentication code. If done properly you can transmit the client can transmit the token, and 3rd parties can verify that the session hasn't expired based on the timestamp and that your servers issued the token (instead of a hacker's forgery) based on the message authentication code.
G'Day,
Is anyone able to provide some pointers on how I can notify my Delphi application that a particular record in my MySQL database has changed? Something along the lines of the event system from Interbase?
Ideas I have looked at:
.: Q4M :. (http://q4m.31tools.com/)
Pros: Native MySQL solution requiring no external daemons
Cons: No Win32 build exists due to it using Posix calls specific to Linux
.: MySQL Message API :. (http://messagequeue.lenoxway.net/)
Pros: Robust (using spread.org)
Cons: No Win32 binary. Additional configuration and daemon(s) of spread.org required
.: Custom User Defined Function :.
I am attempting to write a UDF that can use the Win32 API PostMessage() so send a windows message to a simple socket server.
Pros: Integrated (albeit with external DLL dependency) with MySQL. Can be customised to my needs
Cons: I cannot get it to work (See post MySQL User Defined Function to send a windows message). This may be because MySQL is running as a service
Any pointers, ideas etc. greatly appreciated.
--D
As an option you may consider to use a middle-tier solution like a RemObject DataAbstract or kbmMW. AFAIK, they allow to track the changes on the middle layer and provide mechanisms to notify clients about that.
I ended up implementing this as follows:
Created Windows app that listened on a TCP port as well as a Windows Pipe
Created a mySQL User Defined Function (UDF) that would connect to the above Windows Pipe and send some information
Added triggers to the tables in the database to invoke the UDF with information about which table, what operation (insert, deleted, update), primary key values
TCP clients can now connect to the Windows app to receive the information passed on from the UDF
The TCP clients can then refresh as needed using the information retrieved
Works well and is light weight bandwidth wise (as clients only refresh what they need). Also keeping the TCP Server on the same machine as the database and using a Windows Pipe means the pipe can be kept open, and by writing to the pipe there is no TCP stack overhead. Means the load on mySQL and the time taken to execute the UDF is very minor.