[SOLVED] Encrypting your Wapt passwords

louisinger · July 18, 2018 - 3:49 PM

Hello,

In one of my scripts, I upload a package to the server. This function requires two passwords (admin password and private key password). Are we required to hardcode the password in the code, given that it's included in the packages?

July 18, 2018 - 11:01 PM

louisinger wrote: ↑July 18, 2018 - 3:49 PM Are we required to hardcode the password in the code knowing that it is present in the packages?

I don't understand, did you put your wapt server password and your private key password in a wapt package?

louisinger · July 19, 2018 - 08:22

In a package named `dispatch` that allows the automatic installation of GROUP packages,
I perform a build-upload in the script after editing my host package. That's why my password ended up in a package.

July 19, 2018 - 2:10 PM

louisinger wrote: ↑Jul 19, 2018 - 8:22 AM In a package named dispatch that allows the automatic installation of GROUP packages.
So I do a build-upload in the script after editing my host package. That's why my password ended up in a package.

You absolutely must not do that. Wapt packages are accessible to anyone for reading.
No sensitive information should be placed in a package unless it is encrypted

Example package: https://wapt.lesfourmisduweb.org/detail ... 4_all.wapt

If you want to create wapt packages using a script (a crontab) on a machine:
viewtopic.php?f=9&t=1341

Otherwise, if I understand correctly what you want to do, I advise you to read this:

https://www.wapt.fr/fr/doc/CreationPaqu ... quets-wapt

This does not create a machine package but it works very well.

Another possibility:
https://blog.lesfourmisduweb.org/gestio ... e-package/

In short, explain to us what you want to do and we will give you a solution.
But clearly, do not store your wapt password in a packet!

louisinger · July 19, 2018 - 3:51 PM

I agree that storing the password in a script within a package is counterproductive. Let me explain:
I wanted to create my user groups based on their hostname. So I created my group packages and coded my script. Depending on the client's hostname, the `mnt-dispatch` package installs the corresponding group package. Initially, I used `Wapt.install(group_name)`, but this caused a problem: the package was installed on the machine but didn't become a dependency! That's why I wanted to replace `Wapt.install()` with `Wapt.edit_host()` and `Wapt.build_upload()` because `edit_host()`, unlike `install()`, allows me to add a dependency to the host package.

Here is the code for the setup.py file of the mnt-dispatch package:

Code: Select all

def install():
    print('Start dispatching')
    myWapt = Wapt(config_filename = makepath('c:', programfiles32, 'wapt', 'wapt-get.ini'))
    print("write into ini file")
    inifile_writestring(WAPT.config_filename, 'global', 'personal_certificate_path', '\\\\**************\c$\private\********.crt')
    print("get hostname and computername")
    computer_name = environ['COMPUTERNAME']
    print('computer name = %s'%computer_name)
    host_name = myWapt.host_packagename()
    print('host name = %s'%host_name)
    pathToTempDirectory = r'C:\Temp\%s'%computer_name
    if isdir(pathToTempDirectory):
        print('remove temp tree : ' + pathToTempDirectory)
        remove_tree(pathToTempDirectory)
    print('site name :')
    site_name = computer_name[0:4]
    print("site name is : %s" %site_name)
    group_name = alias_groupe.get(switcher.get(site_name, 0), 'hors-lot')
    print("group name is : %s"%group_name)
    myWapt.edit_host(host_name, target_directory = "C:\Temp\%s"%computer_name, append_depends = group_name)
    myWapt.build_upload(r'C:\Temp\%s'%(computer_name), private_key_passwd = '***', wapt_server_user = 'admin', wapt_server_passwd = '***')
    return 0

Do you understand my problem a little better now? Sorry if it's not clear.

July 19, 2018 - 4:34 PM

In this case, you need to create a separate Python script that runs as a scheduled task.

Do not put it in a package. Otherwise, we are forced to put the passwords in the package.

Script algorithm:

- Database scan
- For each item, analyze the inventory to determine what needs to be added as a dependency.

Code: Select all

data = json.loads(wgets('https://%s:%s@%s/api/v1/hosts?columns=host_certificate&limit=10000' % (user,password,urlserver)))
for value in data['result']:
	blabalba

- Edit the machine package.
- Add dependencies
- Upload the machine package.

Code: Select all

    myWapt = Wapt(config_filename=makepath(r'C:\Users\Administrateur\AppData\Local\waptconsole\waptconsole.ini'))
    tmpdir = 'c:/dummy'
    myWapt.edit_host(machine,target_directory=tmpdir,append_depends='tis-firefox')
    myWapt.build_upload(r'c:\waptdev\test',private_key_passwd=ur'passwordkey',wapt_server_user='admin',wapt_server_passwd=ur'passwordserver')

July 19, 2018 - 9:26 PM

louisinger wrote: ↑Jul 19, 2018 - 8:22 AM In a package named dispatch that allows the automatic installation of GROUP packages.
So I do a build-upload in the script after editing my host package. That's why my password ended up in a package.

Simon, you answered perfectly.

I'm adding another layer to ensure that those who use WAPT NEVER put their passwords in a packet, neither in Community nor in Enterprise.

Indeed, in WAPT's security model, packets are not a sensitive asset in the cybersecurity sense.

If you put your key password and your server password in your package and your package is retrieved by an unauthorized and malicious entity, then it will control your network.

A post-mortem audit by a security auditor will prove beyond a doubt that your signature was used to deploy the malware, and you will have a very difficult time proving that you did not intentionally cause the damage. Indeed, the WAPT documentation is clear, explicit, and unambiguous on this point.

In the best-case scenario, you will only have to find a new job burdened by your new reputation; otherwise, you will have to find a good lawyer if your mistake has caused an accident with irreparable material, financial, or human consequences.

So, a word to the wise.

Vincent

louisinger · July 20, 2018 - 08:16

sfonteneau wrote: ↑July 19, 2018 - 4:34 PM In this case, you need to create a separate Python script that runs as a scheduled task.

Do not put it in a package. Otherwise, we are forced to put the passwords in the package.

Script algorithm:

- Database scan
- For each item, analyze the inventory to determine what needs to be added as a dependency.
Code: Select all
data = json.loads(wgets('https://%s:%s@%s/api/v1/hosts?columns=host_certificate&limit=10000' % (user,password,urlserver)))
for value in data['result']:
	blabalba
- Edit the machine package.
- Add dependencies
- Upload the machine package.
Code: Select all
    myWapt = Wapt(config_filename=makepath(r'C:\Users\Administrateur\AppData\Local\waptconsole\waptconsole.ini'))
    tmpdir = 'c:/dummy'
    myWapt.edit_host(machine,target_directory=tmpdir,append_depends='tis-firefox')
    myWapt.build_upload(r'c:\waptdev\test',private_key_passwd=ur'passwordkey',wapt_server_user='admin',wapt_server_passwd=ur'passwordserver')

So it will be a script! However, the same problem remains: my password is hardcoded. I think at the beginning of the script I'll ask the user for both passwords.

@vcardon I understand the risk of hardcoding a password in a packet. That's why I came to ask for an alternative, but thank you for your warning.

July 20, 2018 - 09:31

FYI

Code: Select all

import waptguihelper
urlserver = inifile_readstring(makepath(install_location('WAPT_is1'),'wapt-get.ini'),'global','wapt_server')
mycrt = inifile_readstring(makepath(user_local_appdata(),'waptconsole','waptconsole.ini'),'global','personal_certificate_path')

passwordkey = waptguihelper.key_password_dialog('Password for private key',mycrt, '')
credentials_url = waptguihelper.login_password_dialog('Credentials for wapt server',urlserver,'admin','')

print(passwordkey['keypassword'])
print(credentials_url['user'])
print(credentials_url['password'])

louisinger · July 20, 2018 - 10:02

sfonteneau wrote: FYI

Code: Select all

import waptguihelper
urlserver = inifile_readstring(makepath(install_location('WAPT_is1'),'wapt-get.ini'),'global','wapt_server')
mycrt = inifile_readstring(makepath(user_local_appdata(),'waptconsole','waptconsole.ini'),'global','personal_certificate_path')

passwordkey = waptguihelper.key_password_dialog('Password for private key',mycrt, '')
credentials_url = waptguihelper.login_password_dialog('Credentials for wapt server',urlserver,'admin','')

print(passwordkey['keypassword'])
print(credentials_url['user'])
print(credentials_url['password'])

Unable to find the waptguihelper module :/