Page 1 of 2
[SOLVED] Encrypting your Wapt passwords
Published: July 18, 2018 - 3:49 PM
by louisinger
Hello,
In one of my scripts, I upload a package to the server. This function requires two passwords (admin password and private key password). Are we required to hardcode the password in the code, given that it's included in the packages?
Re: Encrypting your Wapt passwords
Published: July 18, 2018 - 11:01 PM
by sfonteneau
louisinger wrote: ↑July 18, 2018 - 3:49 PM
Are we required to hardcode the password in the code knowing that it is present in the packages?
I don't understand, did you put your wapt server password and your private key password in a wapt package?
Re: Encrypting your Wapt passwords
Published: July 19, 2018 - 08:22
by louisinger
In a package named `dispatch` that allows the automatic installation of GROUP packages,
I perform a build-upload in the script after editing my host package. That's why my password ended up in a package.
Re: Encrypting your Wapt passwords
Published: July 19, 2018 - 2:10 PM
by sfonteneau
louisinger wrote: ↑Jul 19, 2018 - 8:22 AM
In a package named dispatch that allows the automatic installation of GROUP packages.
So I do a build-upload in the script after editing my host package. That's why my password ended up in a package.
You absolutely must not do that. Wapt packages are accessible to anyone for reading.
No sensitive information should be placed in a package unless it is encrypted
Example package:
https://wapt.lesfourmisduweb.org/detail ... 4_all.wapt
If you want to create wapt packages using a script (a crontab) on a machine:
viewtopic.php?f=9&t=1341
Otherwise, if I understand correctly what you want to do, I advise you to read this:
https://www.wapt.fr/fr/doc/CreationPaqu ... quets-wapt
This does not create a machine package but it works very well.
Another possibility:
https://blog.lesfourmisduweb.org/gestio ... e-package/
In short, explain to us what you want to do and we will give you a solution.
But clearly, do not store your wapt password in a packet!
Re: Encrypting your Wapt passwords
Published: July 19, 2018 - 3:51 PM
by louisinger
I agree that storing the password in a script within a package is counterproductive. Let me explain:
I wanted to create my user groups based on their hostname. So I created my group packages and coded my script. Depending on the client's hostname, the `mnt-dispatch` package installs the corresponding group package. Initially, I used `Wapt.install(group_name)`, but this caused a problem: the package was installed on the machine but didn't become a dependency! That's why I wanted to replace `Wapt.install()` with `Wapt.edit_host()` and `Wapt.build_upload()` because `edit_host()`, unlike `install()`, allows me to add a dependency to the host package.
Here is the code for the setup.py file of the mnt-dispatch package:
Code: Select all
def install():
print('Start dispatching')
myWapt = Wapt(config_filename = makepath('c:', programfiles32, 'wapt', 'wapt-get.ini'))
print("write into ini file")
inifile_writestring(WAPT.config_filename, 'global', 'personal_certificate_path', '\\\\**************\c$\private\********.crt')
print("get hostname and computername")
computer_name = environ['COMPUTERNAME']
print('computer name = %s'%computer_name)
host_name = myWapt.host_packagename()
print('host name = %s'%host_name)
pathToTempDirectory = r'C:\Temp\%s'%computer_name
if isdir(pathToTempDirectory):
print('remove temp tree : ' + pathToTempDirectory)
remove_tree(pathToTempDirectory)
print('site name :')
site_name = computer_name[0:4]
print("site name is : %s" %site_name)
group_name = alias_groupe.get(switcher.get(site_name, 0), 'hors-lot')
print("group name is : %s"%group_name)
myWapt.edit_host(host_name, target_directory = "C:\Temp\%s"%computer_name, append_depends = group_name)
myWapt.build_upload(r'C:\Temp\%s'%(computer_name), private_key_passwd = '***', wapt_server_user = 'admin', wapt_server_passwd = '***')
return 0
Do you understand my problem a little better now? Sorry if it's not clear.
Re: Encrypting your Wapt passwords
Published: July 19, 2018 - 4:34 PM
by sfonteneau
In this case, you need to create a separate Python script that runs as a scheduled task.
Do not put it in a package. Otherwise, we are forced to put the passwords in the package.
Script algorithm:
- Database scan
- For each item, analyze the inventory to determine what needs to be added as a dependency.
Code: Select all
data = json.loads(wgets('https://%s:%s@%s/api/v1/hosts?columns=host_certificate&limit=10000' % (user,password,urlserver)))
for value in data['result']:
blabalba
- Edit the machine package.
- Add dependencies
- Upload the machine package.
Code: Select all
myWapt = Wapt(config_filename=makepath(r'C:\Users\Administrateur\AppData\Local\waptconsole\waptconsole.ini'))
tmpdir = 'c:/dummy'
myWapt.edit_host(machine,target_directory=tmpdir,append_depends='tis-firefox')
myWapt.build_upload(r'c:\waptdev\test',private_key_passwd=ur'passwordkey',wapt_server_user='admin',wapt_server_passwd=ur'passwordserver')
Re: Encrypting your Wapt passwords
Published: July 19, 2018 - 9:26 PM
by vcardon
louisinger wrote: ↑Jul 19, 2018 - 8:22 AM
In a package named dispatch that allows the automatic installation of GROUP packages.
So I do a build-upload in the script after editing my host package. That's why my password ended up in a package.
Simon, you answered perfectly.
I'm adding another layer to ensure that those who use WAPT NEVER put their passwords in a packet, neither in Community nor in Enterprise.
Indeed, in WAPT's security model, packets are not a sensitive asset in the cybersecurity sense.
If you put your key password and your server password in your package and your package is retrieved by an unauthorized and malicious entity, then it will control your network.
A post-mortem audit by a security auditor will prove beyond a doubt that your signature was used to deploy the malware, and you will have a very difficult time proving that you did not intentionally cause the damage. Indeed, the WAPT documentation is clear, explicit, and unambiguous on this point.
In the best-case scenario, you will only have to find a new job burdened by your new reputation; otherwise, you will have to find a good lawyer if your mistake has caused an accident with irreparable material, financial, or human consequences.
So, a word to the wise.
Vincent
Re: Encrypting your Wapt passwords
Published: July 20, 2018 - 08:16
by louisinger
sfonteneau wrote: ↑July 19, 2018 - 4:34 PM
In this case, you need to create a separate Python script that runs as a scheduled task.
Do not put it in a package. Otherwise, we are forced to put the passwords in the package.
Script algorithm:
- Database scan
- For each item, analyze the inventory to determine what needs to be added as a dependency.
Code: Select all
data = json.loads(wgets('https://%s:%s@%s/api/v1/hosts?columns=host_certificate&limit=10000' % (user,password,urlserver)))
for value in data['result']:
blabalba
- Edit the machine package.
- Add dependencies
- Upload the machine package.
Code: Select all
myWapt = Wapt(config_filename=makepath(r'C:\Users\Administrateur\AppData\Local\waptconsole\waptconsole.ini'))
tmpdir = 'c:/dummy'
myWapt.edit_host(machine,target_directory=tmpdir,append_depends='tis-firefox')
myWapt.build_upload(r'c:\waptdev\test',private_key_passwd=ur'passwordkey',wapt_server_user='admin',wapt_server_passwd=ur'passwordserver')
So it will be a script! However, the same problem remains: my password is hardcoded. I think at the beginning of the script I'll ask the user for both passwords.
@vcardon I understand the risk of hardcoding a password in a packet. That's why I came to ask for an alternative, but thank you for your warning.
Re: [SOLVED] Encrypting your Wapt passwords
Published: July 20, 2018 - 09:31
by sfonteneau
FYI
Code: Select all
import waptguihelper
urlserver = inifile_readstring(makepath(install_location('WAPT_is1'),'wapt-get.ini'),'global','wapt_server')
mycrt = inifile_readstring(makepath(user_local_appdata(),'waptconsole','waptconsole.ini'),'global','personal_certificate_path')
passwordkey = waptguihelper.key_password_dialog('Password for private key',mycrt, '')
credentials_url = waptguihelper.login_password_dialog('Credentials for wapt server',urlserver,'admin','')
print(passwordkey['keypassword'])
print(credentials_url['user'])
print(credentials_url['password'])
Re: [SOLVED] Encrypting your Wapt passwords
Published: July 20, 2018 - 10:02 AM
by louisinger
sfonteneau wrote:
FYI
Code: Select all
import waptguihelper
urlserver = inifile_readstring(makepath(install_location('WAPT_is1'),'wapt-get.ini'),'global','wapt_server')
mycrt = inifile_readstring(makepath(user_local_appdata(),'waptconsole','waptconsole.ini'),'global','personal_certificate_path')
passwordkey = waptguihelper.key_password_dialog('Password for private key',mycrt, '')
credentials_url = waptguihelper.login_password_dialog('Credentials for wapt server',urlserver,'admin','')
print(passwordkey['keypassword'])
print(credentials_url['user'])
print(credentials_url['password'])
Unable to find the waptguihelper module :/