Novell Home

How to allow for execution of specific commands without revealing the Config user password

Novell Cool Solutions: Tip
By Oscar Forero

Digg This - Slashdot This

Posted: 9 Dec 2005
 

Problem:

iChain has support for only two users that can access the configuration console. One is "config", that can do everything; the other one is just allowed to watch parameters. The problem comes when somebody needs more granularity to administer iChain. For example, you want to allow your HTML developers to purge the cache but nothing else.

iChain does allow you to execute a command uploading a file over ftp, but again only the config user can write in.

Here is a small java program that allows you to give someone the possibility to execute a given command without revealing the config user's password.

Solution:

First write a java class to encrypt the config password, check the Cypher class.

I recommend using Eclipse and the Fat-jar plug-in to build a jar file that you can use with the following syntax:

java -jar Cypher.jar <password> <file>

The next step is to create a java application that uses the password file and connects to an iChain server to execute the needed commands, in our case purging the cache.

First step is to get an FTP library for java. I think an easy one to use is edtFTPj, please take a look at: http://www.enterprisedt.com/products/edtftpj/overview.html

Next create project with the following class as main class, check the PurgeCache class:

Again use eclipse and the Fat-jar plug in to create a single jar file that you can use like this:

java -jar PurgeCache.jar <iChain-ip> config <pwd-file>

Please do not forget to change the "MyEncriptionKey" string to something more complicated. This way, you can allow somebody to execute some iChain administration tasks with out giving away the clear text password for the config user.

EXAMPLE:

package com.novell.support.iChain;

import java.io.FileOutputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;

public class Cypher {

	/**
	 * @param args
	 */
	public static void main(String[] args) {

	    try {
	    	Cipher c = Cipher.getInstance("Blowfish");
			Key key = new SecretKeySpec("MyEncriptionKey".getBytes(),"Blowfish");
	    	c.init(Cipher.ENCRYPT_MODE, key);

	    	byte[] cipherText = c.doFinal(args[0].getBytes());
		    String ciphered = new String(cipherText, "ISO-8859-1");
		    
		    FileOutputStream pwdFile = new FileOutputStream(args[1]);
		    pwdFile.write(cipherText);
		    pwdFile.flush();
		    pwdFile.close();


		} catch (InvalidKeyException e) {
			e.printStackTrace();
		} catch (NoSuchAlgorithmException e) {
			e.printStackTrace();
		} catch (NoSuchPaddingException e) {
			e.printStackTrace();
		} catch (IllegalBlockSizeException e) {
			e.printStackTrace();
		} catch (BadPaddingException e) {
			e.printStackTrace();
		} catch (IOException e) {
			e.printStackTrace();
		}
	 
	}

}

////////////////////
package com.novell.support.iChain;

import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.SocketException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;

import com.enterprisedt.net.ftp.FTPClient;
import com.enterprisedt.net.ftp.FTPException;

public class PurgeCache {

	/**
	 * @param args
	 * @throws FTPException 
	 * @throws IOException 
	 * @throws SocketException 
	 */
	public static void main(String[] args) {
		
		FTPClient f = new FTPClient();
	    try {
		    FileInputStream pwdFilein = new FileInputStream(args[2]);
		    ByteArrayOutputStream pwd = new ByteArrayOutputStream();
		    int i = pwdFilein.read();
		    while(i != -1) {
		    	pwd.write(i);
		    	i=pwdFilein.read();
		    }
	    	
		    Cipher c2 = Cipher.getInstance("Blowfish");
			Key key2 = new SecretKeySpec("MyEncriptionKey".getBytes(), "Blowfish");
	    	c2.init(Cipher.DECRYPT_MODE, key2);
		    byte[] decipherText = c2.doFinal(pwd.toByteArray());
		    String password = new String(decipherText, "ISO-8859-1");
		    System.out.println("deciphered: " + password);

	    	f.setRemoteHost(args[0]);
	    	f.connect();
		    f.login(args[1], password);
		    f.put("purgecache".getBytes(), "purge.nas,execute");
		    f.quit();
		    //f.disconnect();
		} catch (FTPException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (IOException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (NoSuchAlgorithmException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (NoSuchPaddingException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (InvalidKeyException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (IllegalBlockSizeException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (BadPaddingException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}
	}

}


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell