Jump to content

All Activity

This stream auto-updates     

  1. Today
  2. In one type of system yes and that's how we'll setup that sub-set, although they have another problem entirely which will need more scripting to solve :( Other types of devices have both root and "normal" users with root not being able to login. Of course we could forego changing the root password, but that would leave the console open. So in those cases we'll need that script I described (or we open root up for SSH, but naahhh).
  3. Hi Buckit. Not exactly sure of your environment, but is it possible these accounts can reset themselves without a Priv Account? As long as they have the required permissions, then this is possible in Passwordstate. Regards Click Studios
  4. I appreciate it It's of course well and good for me to say "it should be as simple as ...", but that's a stupid remark of course. I have no way of knowing your code. The end-result may be simple (an added HTML tag), but there's no telling how the page gets generated. Something-something-assumptions.
  5. Thank you very much @support, for your patience with me. I honestly think we don't pay you guys enough to deal with the amount of shite I send your way. You are of course utterly correct. Thank you for snapping me out of my stuck-thinking: I was in some recursive loop, not properly thinking about how to tackle my current problem, also because I was avoiding something specific. As you say, the only right solution here would be to make use of the API by building a script to tackle the situation. New IoT device? Run the script which: Defines the host, Defines the privileged password object, Defines the privileged account and the Defines the other password object(s) and ties them to the C privileged account. The downside to this is that you'll get a wild-growth of priv.accounts. The reason I kept avoiding this solution, is because it means I have to write a lot of Powershell code. Why? Because I'm stubborn. I don't want to make a one-off script that works for one specific solution, with hardcoded script IDs and other hardcoded settings. No, Mr Smug here wants to make everything a lookup through the API There's a Powershell module out there already, but it uses API keys instead of kerbauth which we prefer right now. But yeah. You're right. I'll get over myself and start tackling this problem the right way. That module needed to be written anyway and I'm postponing the inevitable. It ain't gonna write itself.
  6. Hey Buckit, We we take a look and see if this will be a simple change. If it is we'll include it in a future build. Regards, Support
  7. Yesterday
  8. support

    Password Extension: Fill on click instead of auto fill

    Thanks for the vote Greg. We'll consider this request when we next work on feature development for our extensions. Regards Click Studios
  9. Hi Buckit, Thanks for your request. At this stage we're not sure this is something we would like to implement, as it goes against best practice fur using unique passwords across your hosts. It would also required a complete redesign of our Password Reset Engine, Account Heartbeats, Remote Site Locations, Reporting, API, etc, etc. Regards Click Studios
  10. GregSmid

    Password Extension: Fill on click instead of auto fill

    Hey all, I happened across a good example of an undesired auto-fill today. This is the settings page for our Barracuda email device, which has fields to set the address of the outbound SMTP host and username/password fields for the Barracuda to authenticate with that SMTP host. The PasswordState plugin sees those username and password fields, and fills them in with the credentials I have saved to log into the Barracuda web GUI... which of course is not what should be in those boxes. Having an option to only fill a page after clicking the PS plugin icon would solve this situation.
  11. Hey guys, Just a tiny suggestion: would it be possible for you to update the PasswordState Change Log webpage to include anchor tags in each update's header? For example, if I'd like to specifically link to build 8180, it'd be great to have something like https://www.clickstudios.com.au/passwordstate-changelog.aspx#8180. The changelog has grown to considerable size, so it'd help my colleagues if they didn't have to <ctr><f> for a buildnum. It could be as simple as changing this: <h3> Passwordstate 8.1 - Build 8180 (21st November 2017)&nbsp; <img src="/images/dbschemaupdates.png" alt="Database Schema Updates in this Build" style="padding-bottom: 3px;"> </h3> ...to this: <h3> <a name="8180">Passwordstate 8.1 - Build 8180 (21st November 2017)</a>&nbsp; <img src="/images/dbschemaupdates.png" alt="Database Schema Updates in this Build" style="padding-bottom: 3px;"> </h3> Take care! :)
  12. Buckit

    SSH key rotation

    Glad to hear that it's been of some help! I have a setup where an AD-account is used as privileged Linux user for the password changes by PasswordState, it uses the SSH keys you can store in PState and does it exactly in the way I've explained: pubkey in AD. What's more, we even pull our SUDO commands for the account in question from AD, as explained on my blog. I'll have to look into automating the key rotation you've asked about, as that will up the security a bit more :)
  13. 1527460Kevin

    SSH key rotation

    Hello Buckit Thank you for your answer! The solution looks pretty good, I might just go for that!
  14. Good morning everyone :) The past two weeks we've discussed this a bit, so I thought I'd make it a real feature suggestion. I would very much like the possibility to define one-to-many relationships for accounts to hosts (1:N). The biggest use case I can think of for this, is Linux privileged user accounts in Linux/Unix environments where a centralized IAM-platform is not available. For example, a network with many IoT devices which allow SSH for management functions, but which cannot integrate with AD or LDAP. In such a case it would be a great hassle to define privileged accounts on a 1:1 basis. If I would be able to define one Linux account, with a strong SSH keypair (or a frequently rotating strong password), that is to be used on the relevant systems as the designated privileged user, that would be ever-so-helpful. #RunOnSentence.
  15. Buckit

    SSH key rotation

    Aye, it should be possible to achieve, but it'll need some work on multiple ends of things. The biggest problem is the distribution of the private key. @1527460Kevin suggests generating them on the Linux box and then pushing them out to PasswordState. Personally, that's not something I'd recommend because now you're transporting the literal key to your system, which either is not password protected, or your transporting along with its password. That could/would be not a problem, except that you're wanting to do it unattended. I mean, if you're doing it personally, you can immediately tell if something's gone wrong. The prettiest solution I can think of is to: Generate the new keypair on the PasswordState box using puttygen. Import the private key into the appropriate account object into PasswordState using the API and remove the original file from the file system. Have the Linux/Unix hosts use AD for their authentication backend (through SSSD). Push the public key into the relevant user's altSecurityIdentities field in AD. All this should be doable with Powershell, combined with API calls to PasswordState. It also takes care of the public key distribution, saving you the effort of sending the pubkey to X amount of servers. Alternatively you could of course push the pubkey to each of the X servers that the account exists on, using pscp (the Putty CLI SCP client). However, that brings me back to an issue I was having earlier last week: PasswordState does not have a way of linking one account to X amount of hosts. Unless it's an AD account, you'll find 1:1 - account:host relationships. That's not always ideal.
  16. Last week
  17. support

    SSH key rotation

    Hi Kevin, We believe the only way this would be possible would be via our API, but unfortunately we've never tackled something like this. Hopefully someone in the community has strong linux scripting skills, to point you in the right direction. Regards Click Studios
  18. So that's good news twice! For me because I now know that I am not doing it wrong, for you because you can now fix a bug. I will have to do my work double now, because I need to write a procedure to do the update process from dev/test, via acc, to prod. Which now means I have to describe both the manual and the "regular" internet disconnected upgrade method. But at least I now know what to do. Thank you for all the effort!
  19. 1527460Kevin

    SSH key rotation

    Hello, Anyone that has added some sort of SSH key management with Passwordstate, maybe with the use of API's? I've read in the user manual that it is possible to start a remote session via an SSH key in a password list, is it however also possible to do some sort of SSH key rotation? maybe via the use of a script that generates new keys on the hosts and pushes them to Passwordstate or something like it? I'm curious wether someone here has done it or has thought about it. Thanks for all the help so far, I'm loving both Passwordstate and the community!
  20. Hi Jimmy, Thanks for your patience with this, and we do need to apologize - this is an issue with our code, checking that xml file as you mentioned. I'm not sure why I didn't see this in testing - possibly it was cached somewhere. We've fixed this for the next release, which means you will obviously need to perform a manual upgrade when this new release is available. We're not sure when the next release is yet, but it could be 2 to 4 weeks again. Again, thanks for your patience, and sorry again. Regards Click Studios
  21. In the meantime I've been testing the other way around: unplug the NIC. Now the button keeps saying "testing download..." forever (or at least for 30 minutes until I terminated it). So there seems to be some difference but still not like it works at your side. When the NIC is disconnected I see Windows Events "An error has occured executing the call 'SecurityGroupExists'. The server is not operational." Perhaps this is because the ADDS is then also unreachable. With te NIC connected I see nothing in the eventlog. To make sure it really attempts to access internet, I added www.clickstudios.com.au to the hosts file, pointing to 127.0.0.1. This causes the upgrade now to fail even faster. That proves that it does do a call to www.clickstudios.com.au at a point where it should not. (I double checked the permissions on the zip-file, and also extracted it once to verify that it's not corrupted) I have created a quick-and-dirty webserver replacement of http and https for www.cliskstudios.com.ca to have a bit of logging, and I see that it requests /NewBuildInfo.xml (plain over port 80?). Perhaps then you know what is going on? (it's not the upgrade zipfile but an xml) Tomorrow I won't be able to change or test anything, but please feel free to keep me informed (I am able to reach this site).
  22. Hi Jimmy, We'''ll schedule an Internet outage at the office tomorrow, and see if we can replicate your issue again - it's currently 7pm in Australia. We'll let you know what we find. Regards Click Studios
  23. Let's not give up please, as I suggested before this is probably not a security issue but there must be a simple reason why it tries to download a file that is already there? Can we continue on that? Why does it want to access the internet while we follow the procedure for upgrading without internet? From Windows- and permissions perspective there is nothing special about this machine, it's just that we cannot just change the current SQL account, especially because you now say that we do not need that if we do not need the backup.
  24. Hi Jimmy, I pointed you to the correct part of the Security Administrator's manual - I certainly didn't expect you to read all 180 pages. For SQL Server, if you want Passwordstate to backup the database, then yes this is required - either for scheduled backups, or backups just prior to upgrades. Or you can check the option to say you don't want to backup the database, and you can manage this separately yourself. We try and give customers options for these sort of things, and let them decide what's best for their environment. Possibly because this is a "secure" environment, the manual method I outlined might be the best option for you. Regards Click Studios
  25. Can we go back one step. The symptom it that the program wants to go to the internet instead of using the locally placed file. And now we are discussing backups, accounts, permissions and stuff. Isn't there a totally different reason why it tries to download a file that is already there?? And just to make sure, we're not talking about the backup account but the (same) account needed for the upgrade. I just tested the backup to show that there are probably related issues. We don't actually need the backup, I'm just going through that all because you explained that the account settings are also needed for the upgrade... So if we can skip the backup-issues (unless they help solving the upgrade issue), I'm fine with that. But.. Do you really want me to go through a 180pg document just to solve an issue with a 1/2pg upgrade description? I did check what you mentioned before, the NETWORK SERVICE has (F) on the passwordstate folder and subfolders and so does it on the backupfolder. The account that I use for the upgrade is the domain admin which I guess should just be enough? From that manual, I found at least: The path to where you would like to store the backups - please use UNC naming conventions here, not a literal path such as c:\backups · Username and Password required for the backup (below in this document is an explanation of the permissions required) So I am now using \\computername\sharename which are accessible. Then it says: To allow backups to work through the Passwordstate web interface, you will need to specify an account (domain or Windows account), which has the following permissions: · Permissions to write to the Backup path you’ve specified · Permissions to stop and start the Passwordstate Windows Service on the web server · Permissions to write to the Passwordstate folder on your web server Which are all correct. Now we come to this: In addition to this, you must configure the SQL Server service to use a domain or Windows account which has permissions to also write to the Backup Path. We did a normal install and that installed the MSSQL Express instance. That has installed it with (default?) NTService\MSSQL$SQLEXPRESS account. Since this is going to run in a very secure environment (that's why we cannot update from the internet), are you positive that we need a Domain account there? Is there a way to skip this, just because this is only for the backup-part and not for the upgrade?? I also went through the Automatic Backup Troubleshooting part, where I also do not see any reason for an issue.
  26. Sorry Jimmy - we'll need to correct that reference of the message at the top of the screen, as it is out dated - we didn't realise it was still in there. If you are wanting to configure this backup account, we have whats fully required in the Security Administrators manual. You can find this under the Help Menu, and then look in the Backups and Upgrades section. Did you want to do the manual upgrade for now, and then you can explore the backup account permissions required after? Regards Click Studios
  1. Load more activity
×