can I have some ideas on security in JMeter please?
in order to use JMeter behind a corporate proxy the following format can be used to launch from the command line:
jmeter -H localhost -P 8888 -u username -a password -N localhost
Once JMeter is opened (and usual https certificate process followed) I use JMeter recorder to access a corporate application and complete usual business processes (including entering login details).
There are at least two issues with this approach:
a) network scans record any java application being run, with credentials in plain text
b) the JMX file produced has credentials saved in plain text, from when user logs into any secure application.
For the first issue, is it possible to change the http.proxyPass and http.proxyUser values? If so, how best to secure them to prevent anyone monitoring the network from seeing them?
For second issue, how best to hide this information? Parameterize the relevant http requests after manually checking the entire project? The most secure way would be to avoid using the recorder but this would be impractical.
Thanks, D
Any data will be stored in the .jmx test script as plain text.
If you don't want it to appear there you can:
Add User Defined Variables and define the JMeter Variables reference names with their respective values which you want to substitute there
During recording HTTP(S) Test Script Recorder will automatically substitute the values with the JMeter Variables
Replace hard-coded sensitive values with __P() functions
When you will be executing JMeter test you will be able to provide values in the runtime via -J command-line arguments as:
jmeter -Jusername=secret-username -Jpassword=secret-password etc.
Related
I am maintaining an application in our company (written in C#), which runs on a jumphost and provides the functionality to search across different servers and initiate a PuTTY connection to that server. For this the application currently starts the PuTTY process and passes arguments, like the hostname, username and password. The password for each server is retrieved from a password manager service. The arguments are passed to PuTTY through the command line interface. So the purpose of the application is to automate password retrieval and login to different servers.
The problem with the current approach is, that in the Windows Task Manager its possible for an administrator to see all started PuTTY instances and the corresponding credentials as command line arguments.
So far I haven't found any practical solution to circumvent this. These are the things I researched so far:
Instead of passing password argument, using SendKeys to type password into the promt: Unreliable, as there is no way to read the PuTTY output and know when the application is ready for the input to be typed in.
Using Plink instead of PuTTY and passing arguments through stdin: Plink supports stdin / stdout communication, however the terminal functionality is very limited and not usable in practice after the login was successful.
Modifying PuTTY to mask password: I have seen some suggestions, to modify the PuTTY source code, to overwrite the password in the main args, once the application started. However, this solution seems to only work on Linux, not Windows.
Using SSH.NET library to provide my own SSH terminal implementation: The SSH.NET library seems to be similarly to Plink more suitable for issuing commands programmatically, but not for opening a terminal for the user. I guess it would require a lot of work to implement a full terminal.
Some ideas, that might work:
Modify the PuTTY code, so that arguments can be passed through stdin: Could work, but I don't know how easy that would be, as I don't have very good C knowledge.
Use an alternate client, that supports stdin output. The Java library JSch looks quite powerful and seems to already include a terminal. Would it be possible to create a standalone application, that can a receive stdin and use that to open a terminal and auto login?
Any further suggestions would be greatly appreciated. Are you aware of any other Windows alternative to PuTTY, which supports passing credentials in a more secure way?
Following the suggestion of Martin Prikryl I was able to create a minimal example, which creates a NamedPipe in C# and passes it as a pwfile argument to PuTTY:
public void CreatePipe()
{
var server = new NamedPipeServerStream("SecretPipe");
server.WaitForConnection();
StreamWriter writer = new StreamWriter(server);
writer.Write("top!!secret");
writer.Flush();
server.Dispose();
}
Then PuTTY can be started as follows with the pipe as pwfile argument:
putty.exe -l testuser -pwfile "\\.\PIPE\SecretPipe" hostname
Since 0.77, PuTTY can read the password from a file using -pwfile switch.
Colleagues, i used Jasypt in my spring-boot project (standalone jar running on Windows).
I need to pass master password via command line to run jar .
It looks like:
java -jar -Djasypt.encryptor.password=masterpass app-1.0.0-RELEASE.jar
So anybody can see masterpass via Windows Task Manager:
How to secure this masterpass?
I have found an example where master password is stored in Windows Environment variable, but, it seems, no good idea.
It is generally very difficult to hide anything when running on the client's workstation. At the end - when passwords/keys are encrypted, you need to store the password or private key somewhere anyway :/
You can encode/encrypt data to make it more difficult, but once the binaries and configuration reside at the client side, you won't stop a dedicated adversary easily.
If you at least don't want to show the password outside (in the environment or command line) - how about reading the master password from a file and setting a system property in the main before running anything else?
(please let me know if it worked)
At least you should not provide the master-password via commandline option as if other users have access to the machine they can retrieve it from the process list.
Instead provide it via a separate configuration file. So in case you are using spring-boot and have your regular env properties in config/application.properties then simply add a config/application.yml file with just the master-password and keep that only on the machine with only user permissions (chmod go -rxw). See e.g. here:
https://github.com/oasp/oasp4j/wiki/guide-configuration#password-encryption
Everything else from the installation may come from your git repo where people with access only see encrypted passwords but can not decrypt unless they have the master-password what they do not have if they have no physical access to the productive machine. Operators may provide the passwords only encrypted to the dev team so they never know the actual passwords. DevOps gurus might not like this but keeping the passwords secret to a minimum number of admins is generally good for security.
when I run kinit ganesh#abc.com it asks for the password when I run through the terminal. I am trying to build same as web application using java
Acceptance criteria:-
password should pass through UI and we should able connect to the server. i.e password which we pass through UI should assign asa password.
I would recommend you to use Jsch, you can find this library here
http://www.jcraft.com/jsch
And an example or ssh connection here
http://www.jcraft.com/jsch/examples/Shell.java.html
If you're using OpenSSH ssh client, you can try implementing passing password via a companion program, specified via SSH_ASKPASS variable. Basically, you need SSH_ASKPASS to point to a binary ssh would run, and that binary must output the password on stdout.
Check this answer: How to make ssh receive the password from stdin for more details and a concrete example.
The downside is, you need an external binary - and you need to think about its security. For example, if the binary is a dynamically-generated shell script in /tmp - you need strict filesystem permissions so no one but your ssh child process can read or execute it. And if the binary itself is static and takes password from, for example, an environment variable, you must make sure that SSH won't accidentally pass this variable to remote host (e.g. via accidentally specified SendEnv).
You can use some Java SSH library (like suggested Jsch - there is a list here: SSH library for Java), if that fits your requirements. It should be the most flexible option - in terms of control you have over SSH client behavior, unless you want something Jsch doesn't support.
Also, I'd strongly suggest to consider not using passwords, but your server having a private key, and servers you connect to appending its public key to ~/.ssh/authorized_keys (unless you need password-based logins for exactly this purpose, of course). If that's a feasible scenario, you can avoid sharing any sensitive information entirely, significantly improving the security.
I am working on some machine learning for chemical modelling in python. I need to run a java app (from command line through python subprocess.call) and a python webserver. Is this possible on AWS EC2?
I currently have this setup running on my mac but I am curious on how to set it up on aws.
Thanks in advance!
Since you're just making a command line call to the Java app, the path of least resistance would just be to make that call from another server using ssh. You can easily adapt the command you've been using with subprocess.call to use ssh -- more or less, subprocess.call(['ssh', '{user}#{server}', command]) (although have fun figuring out the quotation marks). As an aside on those lines, I usually find using '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' stabilizes scripted SSH calls in my environment.
The more involved thing will be setting up the environments to properly run the components you need. You'll need to set up ssh configs so that your django app can ssh over and set up -- probably with private key verification. Then, you'll need to make sure that your EC2 security groups are set up to allow the ssh access to your java server on port 22, where sshd listens by default.
None of this is that hairy, but all the same, it might be stabler to just wrap your Java service in a HTTP server that your Django app can hit. Anyway, hope this is helpful.
I am writing a Java program that can programmatically SSH into any remote machine and execute commands. I am re-using an existing Java library to do so: https://github.com/shikhar/sshj
The issue I am running into is figuring out how to sudo switch user as such:
"sudo su - [username here]".
If you run this manually in the terminal, you will be prompted with a password. As I understand it, if you are under the sudoers file, and you type your password correctly, you will be able to run the command to switch the user as such. I don't want to have the user to have to type in their password. Ideally, the program shouldn't require any human intervention at all in order to run.
What I would like to achieve is: Programmatically send the password over the socket so the user wouldn't have to type it into standard in. If the user can login to the remote machine using his credentials, the program should be able to pick up on these same credentials and pass it in when sudo asks for a password from the user.
After Googling for a while, I can't figure out how to achieve this with this library. Bare in mind I am not really an expert at the lower-level details of SSH. Anyone have an idea on this one?
Thanks guys.
We've written the Overthere library on top of SSH/J, which supports logging in with sudo with or without a password prompt. Have a look at that to see whether it suits your needs.
That shouldn't be a problem. You can configure sudo to don't require a password for certain users. Have a look at sudo's documentation and sudoers man page.