Jump to content

Mordecai

Members
  • Posts

    111
  • Joined

  • Last visited

  • Days Won

    3

Reputation Activity

  1. Like
    Mordecai got a reaction from Ben Claussen in User-based API Keys   
    +1
  2. Like
    Mordecai reacted to support in PowerShell Scripts and Secure HTTPS WinRM Listeners   
    Hi Guys,
     
    We plan on working on this for version 10, which we're currently working on.

    Regards
    Click Studios
  3. Like
    Mordecai reacted to support in Authentication option: Azure AD (Oauth)   
    Hi Guys,
     
    We are working on synchronizing Azure AD user accounts and security groups in version 10, which we believe will somewhat help with this feature request.

    With SAML authentication, you can also use Azure MFA for this already as well.

    Regards
    Click Studios 
  4. Like
    Mordecai reacted to support in Dark mode in UI   
    We are trying to work on this for version 10 guys.
     
    It's an enormous amount of work, with over 400 pages to update and test, tweaking of all the Telerik controls, as well as a series of new icons.
     
    We are going to need to also limit some UI customizations in V10 for this new theme, so it does not alter the aesthetic of it. 

    Regards
    Click Studios
  5. Like
    Mordecai reacted to emgusten in Splunk Add-on for Passwordstate Log Parsing   
    I request a Passwordstate add-on for Splunk.
    The add-on should aid organisations in parsing the syslog ingested from Passwordstate, in line with Splunk Common Information Model (CIM).
  6. Like
    Mordecai reacted to miketheautomater in API key for adding Folders and Password Lists and no Password access   
    Folders can only be created via the system wide API key, same goes for adding Password Lists from a Template to the folder.
     
    We need a way via API to add folders, add password lists from template, add/modify/remove password list permissions and have the API user NOT be able to read/change any passwords in existing password lists.
     
    We tried the Windows Integrated Auth API, unfortunately to be able to see if the folder already had a password list required us to give that API user View permissions on the Password List Template or Password List which also allows them to view any password records in that list.  As a large organization, we try our best to follow the least privilege model including API users.
  7. Like
    Mordecai reacted to Fabian Näf in REST Methods for Modify (and Delete) on Folders/Passwordlists   
    Hi Folke
     
    My final solution (workaround) in this case was to update the guide directly in the database, below some snippets from my Powershell script.
    I have to say, that this is very dangerous and can lead to a corrupt database if you're doing something wrong! So be very careful with this!!
     
    $global:PasswordstateSystemWideAPIKey = ''; Import-Module SQLPS -DisableNameChecking Push-Location cd SQLSERVER:\SQL\localhost\DEFAULT\Databases\passwordstate Function UpdateGuideOfPasswordstatePasswordlistOrFolder() { Param ( [Parameter(Mandatory=$True,ValueFromPipeline=$False,ValueFromPipelinebyPropertyName=$False)] [String]$Id, [Parameter(Mandatory=$False,ValueFromPipeline=$False,ValueFromPipelinebyPropertyName=$False)] [String]$Guide ) Begin { $Guide = ConvertTextToHtml -text $Guide } Process { $Header = @{ APIKey = $global:PasswordstateSystemWideAPIKey } try { $query = $("UPDATE PasswordLists SET Guide = '" + $Guide + "' WHERE PasswordListID = " + $ID) Invoke-Sqlcmd -Query $query } catch { Write-Host $_ -ForegroundColor Red Write-Host $_.GetType() -ForegroundColor Red Write-Host $_.Exception -ForegroundColor Red throw $_.Exception } } End { Write-Output ($result | Where-Object { $_.TreePath -eq $Tree }).PasswordListID } } Function ConvertTextToHtml() { Param ( [Parameter(Mandatory=$True,ValueFromPipeline=$False,ValueFromPipelinebyPropertyName=$False)] [String]$text ) Begin { } Process { $html = $($text -replace "\n", "<br>") } End { Write-Output $html } } $dummyGuide = @" This Is A Test Guide Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. "@ UpdateGuideOfPasswordstatePasswordlistOrFolder -Id 123456789 -Guide $dummyGuide Pop-Location Best regards,
     
    Fabian
  8. Like
    Mordecai reacted to fecton.ernst.meinhart in Native Authentication options in browser extension   
    We would like to see native authentication options within the browser extension as on Passwordstate Web Portal.
    To be more specific, the browser extension should perform the exact same authentication flow as when trying to login to the web portal.
     
    Users within an organization should generally not handle any kind of "Master Passwords" with some very rare exceptions. Instead most (and probably all larger companies) try to create a unified authentication experience with some IDPs like AzureAD.
    In our case we integrate using SAML2 with AzureAD, where authentication, SSO, MFA, device compliance check and so on is performed. We do this for all internal applications in our organization and it´s the best suitable and manageable way with a great user acceptance.
     
    Handling master passwords would be a security concern because users could simply store those password in an text file on the desktop f.e. which is practically impossible to control / audit. As we are humans, something like this will happen.
    It is also a security concern as this eliminates the MFA / device compliance process in our case.
    Also this is not a comfortable way and user acceptance of the browser extension is very limited. In our organization users prefer to login to Passwordstate web portal and copy the credentials they instead of managing a master password.
     
    I understand that changing this behaviour is a lot of work because of existing API architecture and so on, but at least in my opinion this is the most needed feature from all.
  9. Like
    Mordecai reacted to support in Use browser Developer Tools to capture network traffic for Browser Extension   
    Issue:
    You are trying to configure the Passwordstate browser extension but are getting a Connection error, server not available error message, or Error, connection timed out and the browser extension icon stays Red in colour
     
    Troubleshooting Steps:
    Please follow this process below to capture the network traffic when this issue occurs, and forward that onto Click Studios support for analysis.
     
    Step 1:
    Click on the Manage Extensions button

     
     
    Step 2:
    Enable the Developer Mode option, and then click Background.html link, and this will open a separate browser window with the developer tools

     
     
    Step3:
    Log into Passwordstate, then try Logging into the extension

     
     
    Step 4:
    This will generate some traffic under the Network tab in the Developer tools window.  Save the output to a .har file and forward that onto Click Studios support to look at.

     
     
    Regards,
    Support
     
     
  10. Like
    Mordecai reacted to HeizungAuf5 in Passwordstate roadmap   
    Hi there!
     
    Is there any roadmap for upcomming Passwordstate releases/features for 2024?
     
    I've read a few times there is upcomming a Passwordstate V10 Major Version. Are there any plans for that?
     
    Greetings!
  11. Like
    Mordecai reacted to support in Host Folders via API   
    Hi Mordecai,
     
    The only other API functionality we think we'll be adding at this stage is related to documentation, specifically searching for documents.  No changes will be made to existing API code so your existing scripts won't be affected, and we'll be releasing the first build of Passwordstate 10 as a beta to all users.  Normally we'll run the beta for about 2 months and fix any issues that were reported before the first stable version is released.
     
     
    Regards,
    Click Studios.
     
     
     
  12. Like
    Mordecai reacted to Sarge in Native support for resetting KRBTGT   
    There is a STIG requirement to reset KRBTGT password every 180 days: The password for the krbtgt account on a domain must be reset at least every 180 days. (stigviewer.com)
    It would be nice to be able to have Passwordstate handle this in the recommended manner; which is to reset the password twice with at least a 10 hour pause between each reset.
    AD Forest Recovery - Resetting the krbtgt password | Microsoft Learn
     
    We're currently doing this through a custom script and the API; but native support would be appreciated.
  13. Like
    Mordecai reacted to Jack M in Develop Yubikey ONLY auth for browser plugin (FIDO 2) to replace Master Password   
    We would like the ability to use our Yubikey (FIDO 2) to authenticate with the browser add-on instead of a Master Password set in Passwordstate. Our users get confused having their domain credentials for logging into Passwordstate portal then separate master password for the browser addon. Would like to replace master password with yubikey auth.
  14. Like
    Mordecai reacted to support in Passkeys   
    Hi Everyone, 
     
    Build 9849 of Passwordstate has been released, along with a new version of our Browser extensions for Chrome, Edge and Firefox that now supports Passkeys.  The browser extension versions are also 9849 and should have automatically updated in your browser.  Currently this is a beta build of the Passkeys functionality, and we'd appreciate if you notice any bug to please log a support call with Click Studios via this page: https://www.clickstudios.com.au/support.aspx
     
    You'll need to upgrade your core Passwordstate application tot he latest build by following this guide: https://www.clickstudios.com.au/downloads/version9/Upgrade_Instructions.pdf
     
    Once upgraded, you'll find a new section in the Help -> Browser Extensions Manual called "Web Authentication Passkeys" that will help understand how to use this new feature.
     
    Supported website can be found at this link:  https://passkeys.directory/
     
    Thanks to all for your feature request, and if you run into any issues with it, or have any questions, please let us know!
     
    Regards,
    Support
  15. Like
    Mordecai reacted to support in Host Folders via API   
    Hello,
     
    This functionality will be coming in version 10, which we are currently working on. Specifically, the following - at this stage we do not have a release date for V10 though.
     
    Hosts
    1. Adding a Host record
    2. Deleting a Host record
    3. Searching for Host records
     
    Host Folders
    1. Add Host Folder
    2. Delete Host Folder
    3. Search Host Folder
    4. Add Host Folder Permissions
    5. Delete Host Folder Permissions
    6. Add Host Records into Folder
    7. Remove Host Records from Folder
     
    Remote Session Credentials
    1. Add Remote Session Credential
    2. Update Remote Session Credential
    3. Delete Remote Session Credential
    4. Search Remote Session Credentials
    5. Add Remote Session Credential Permission
    6. Delete Remote Session Credential Permission
    7. Search Remote Session Credential Permissions
     
    Regards
    Click Studios
  16. Like
    Mordecai reacted to Sarge in Custom Reporting   
    It would be fantastic to be able to customise what fields are included in the reports that can be scheduled. For example a Password List used to store SSL certificates with a number of custom fields; currently the report only shows the title and expiry date as we don't use any of the other default fields - we'd love to be able to select which fields to show on the report (exclude empty fields and include custom fields). If they could be scheduled from the administration area as well rather than in a specific users context that would be great as well so all administrators can see/modify the reports easily. If the wording of the report email could be customised in the same manner other email templates are.  Ability to allow users to run reports without giving them the reporting security administrator role. (We have separate accounts for security administrator roles).
  17. Like
    Mordecai reacted to harrisonolivia in Custom Reporting   
    It would really be great!
  18. Like
    Mordecai reacted to Phaust in Passwordstate API to allow setting API key for a Password List   
    For an automation process we have, we would need to create a large number of password lists in one Passwordstate folder for an 'admin' account.
    Those password lists will be shared with exactly 1 person, and contain a password to a service. We would like those people to be able to access Passwordstate API to retrieve said passwords.
    The users can't use WinAPI, as the machine they will be accessing Passwordstate API from, doesn't have an AD account for them.
    Hence,  the users are limited to using the default API. To connect to it, they need to have an API key. However, we can't generate nor set an API key for them programmatically.
    We can't generate API keys manually, as it's too much manual work on our end. We can't let users generate their API key themselves, because for that they have to have at least M or A priviledges, and we would like to have them limited to V. 
    Hence, we would like to have a WinAPI endpoint to generate \ set an API key for a given password list.
    Do you think it sounds reasonable? 
  19. Like
    Mordecai reacted to Phaust in Passwordstate API to allow setting API key for a Password List   
    Hey!
     
    For the use case I have in mind, it's a Linux machine with no AD account on it. I am aware of the possibility of running WinAPI on Linux, but that won't work as the users can't use DefaultCredentials (bcz of lack of AD account on the machine), and if they were to provide their AD password directly to WinAPI with plaintext credentials - it will completely defeat the purpose of using Passwordstate. We aim to use it to avoid passing AD password in plain text to perform SSO, but rather retrieve a password from Passwordstate programmatically, where we can limit the potential disaster effect of revealing the auth method to Passwordstate. If an API key leaks - we have 1 password compromised (as there's only 1 password in that password list), but if an AD password leaks - we have the whole Passwordstate database for the taking. Thus, generating plain API keys using WinAPI would help us tremendously.
    Hope that makes sense.
  20. Like
    Mordecai reacted to support in Password Reset Dependency - Update multiple records with the same password   
    Topic:
    In this forum post we'll describe how you can update multiple records with the same password, by using a Password Reset Dependency and a Powershell API script.  Passwordstate has the ability to copy and link password records between two Password Lists, but this means everything with these two records is identical, including the username.
     
    If you have some requirement to have the same password to log into two different systems, but with different usernames, this forum post will guide you how to do this.
     
    First, let's take a look at these two Password Records.  Our goal here is to trigger a reset on "Passwordstate Service Account" record, and then have our API script automatically update the "Passwordstate Sharepoint Account" password to be the same value.  Take note of the PasswordID for this second record:

     
    Now, let's browse to the Powershell Password Resets page:

     
    Add a new Blank Script:

     
    And then click on this new script to open the editor.  Paste in the code of your choice.  The code in this screenshot below will be copied in at the end of this post for your reference. In the screenshot below, you can see you have a number of Variables you can insert into your script.  These values are pulled directly from the master Password Record, and in this example, I'll be using the [NewPassword] variable.  This just means, when the password for the master record is reset through the User Interface, then that new password it is reset to will be passed to your script:

     
    We'll now add in a new Password Reset Dependency on the master record:

     
    Click the Add Dependency button:

     
    And select the Custom Script you wrote.  Also, ignore the Windows Account Dependency type, and Save this config:

     
    The Master Password now has "1" dependency, and triggering a Password Reset on this master record will proceed as per normal and queue up the reset.  In this example, it's also going to reset the password for the account in Active Directory:
     

     
    Once the master password has successfully reset, it will trigger your Powershell API Script, which  in turn triggers a new password reset on the Sharepoint account:
     

     
    And the end result of the two successful Password Resets, means these two separate accounts, will have the same password:

     
     
    Powershell Code to Update an Existing Password, using the Standard API (Requires API Key)
     
    $PasswordstateUrl = "https://passwordstate.clickdemo.com"

    # Define values for the Password List in below array
    $Body = @{
        PasswordID           = "1045"
        Password           = [NewPassword]
    }
    # Convert Array to Json
    $jsonData = $Body | ConvertTo-Json
    # Execute the command
    $FullUrl = "$PasswordstateUrl/api/passwords"
    Invoke-Restmethod -Method Put -Uri $FullUrl -ContentType "application/json" -Body $jsonData -Header @{ "APIKey" = "8c5423d3e9a7bf6ad6cf8e457392b3d6" } 
     
     
    Regards,
    Support


  21. Like
    Mordecai got a reaction from Goossens in [WinAPI/API] Get Permissions of folder   
    Hi,
     
    Short Version: For automating permissions of folders i need the ability to view the currently configured permissions for a folder, this is an essential feature. Can you please create a report or a api method for getting folder permissions, thanks.
     
    Long Version:
    In another post you said, that we should use the predefined reports to get permissions of folders/passwords/passwordlists via the API.
    But I cannot find a report where I can view the permissions of a folder. Only for Passwords and Password Lists.
     
    Password Permissions: Report 43: https://passwordstate/winapi/reporting/43?SiteID=0
    PasswordList Permissions: Report 23: https://passwordlist/winapi/reporting/23?SiteID=0
     
    It seems to me that Report 23 is only for Password Lists, Report 43 is only for Passwords. Report 24 & 25 are for users and groups (reverse).
    Report 38 is for folders, but the result is only a count on the administrators of the folder.
     

     
    I had tested all permission reports, they work and I can use them for many purposes (thanks for this). But unfortunately, as I said, I'm missing a report about folder permissions.
    Which report should i use? Or can't you introduce a new property in the API for this?

    Thanks,
    René
  22. Like
    Mordecai reacted to Red in Password Reset Script for Fortigates with VDOMs enabled   
    Hi,
     
    The default script "Reset Fortigate Password" to reset passwords on Fortigate firewalls will fail when virtual domains (VDOMs) are enabled on the device. This is due to the wrong starting environment when connected to the firewall. In this case, one can copy the existing powershell script and replace the lines
     
    if ($PrivilegedAccountUserName -ne '') { $ResetCommands = "config system admin`redit $UserName`rset password $NewPassword`rend`rexit`r" } else { $ResetCommands = "config system admin`redit $UserName`rset password $NewPassword $OldPassword`rend`rexit`r" }  
    with
    if ($PrivilegedAccountUserName -ne '') { $ResetCommands = "config global`rconfig system admin`redit $UserName`rset password $NewPassword`rend`rexit`r" } else { $ResetCommands = "config global`rconfig system admin`redit $UserName`rset password $NewPassword $OldPassword`rend`rexit`r" }  
    The new commands start with "config global" to change into the global context of the Fortigate. From that point onward, the commands are the same.
     
    Regards,
    Red
  23. Like
    Mordecai reacted to Josh-Hemphill in Dark Theme / Mode   
    Inevitably someone had to bring this one up. 
    In the current interface, the tab bar with the "Passwords", "Hosts", "Administration", doesn't play nice with the most pervasive Dark Reader extension, so just making that play nice would make it look okay for Dark Reader users.
    But a native dark theme would be wonderful.
  24. Like
    Mordecai reacted to Smartyparts in Allow API to enable "Require Check Out' and "force change on check in" when creating new Records.   
    We'd like to be able to enable the :"Password requires check out" and "change password on check in" when creating a new record through the API.
     
     
  25. Like
    Mordecai reacted to BigDaddyJ in Folder level API access   
    Please add the ability to allow the folder level API key permissions to propagated to the lower level folders, lists, and passwords.  We would like to give some of our teams API access to all the items under their team folder without using the system wide API key or the Windows access API.
×
×
  • Create New...