I'm using the Python requests library to make a call to an API that requires Windows Authentication. In C# I have always used the Directory Services, which has allowed me to avoid putting passwords in any of my code or configurations. From what I have found online, it seems that my only option in Python is to have a password somewhere. I have a service account that I will use, but I need to store the password securely. What is the best way to securely store and retrieve a service account password in Python without hard coding plain text?
The code that I am currently using is below. I have the username and password stored in plain text in my configuration:
auth = HttpNtlmAuth(
config.ServiceAccount["Username"],
config.ServiceAccount["Password"]
)
content = requests.post(call_string, json=parameters, auth=auth)
Edit: I should mention that this will not be a user-facing application. It will run as a batch job. So there will not be any way for a user to enter the username/password while running the application.
You could just not store the password at all and require the user to provide the password at runtime
import getpass
user = getpass.getuser()
password = getpass.getpass()
Otherwise, you could do something similar to git and just have the user store their password in plaintext in a config file in their home directory that you then read at runtime.
I know I asked this question a while ago, but I found a better solution to the NTLM/Windows authentication. I used the requests_negotiate_sspi library to avoid any passwords:
from requests_negotiate_sspi import HttpNegotiateAuth
auth = HttpNegotiateAuth()
content = requests.post(call_string, json=parameters, auth=auth)
Related
My system is connected to Active Directory and I can query it by binding using a username and password.
I noticed that I am also able to query it without explicitly providing a username and password, when using ADO or ADSDSOObject Provider (tried in Java/Python/VBA).
I would like to understand how the authentication is done in this case.
Example of first case where username and password is explicitly needed:
import ldap3
from ldap3.extend.microsoft.addMembersToGroups import ad_add_members_to_groups as addUsersInGroups
server = Server('172.16.10.50', port=636, use_ssl=True)
conn = Connection(server, 'CN=ldap_bind_account,OU=1_Service_Accounts,OU=0_Users,DC=TG,DC=LOCAL','Passw0rds123!',auto_bind=True)
print(conn)
Example of second case where no username and password is explicitly needed:
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = "SELECT Name FROM 'LDAP://DC=mydomain,DC=com' WHERE objectClass = 'Computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
I tried to look at the source code of the libraries but was not able to understand what is being done.
In the second case, it's using the credentials of the account running the program, or it could even be using the computer account (every computer joined to the domain has an account on the domain, with a password that no person ever sees).
Python's ldap3 package doesn't automatically do that, however, it appears there may be way to make it work without specifying credentials, using Kerberos authentication. For example, from this issue:
I know that, for GSSAPI and GSS-SPNEGO, if you specify "authentication=SASL, sasl_mechanism=GSSAPI" (or spnego as needed) in your connection, then you don't need to specify user/password at all.
And there's also this StackOverflow question on the same topic: Passwordless Python LDAP3 authentication from Windows client
How can I pass a password to my python script when it prompts for a password. I do not want the user to enter the password when it prompts. It should be passed directly from the script.
subprocess.run(['ansible-vault', 'decrypt', 'main.yml', 'linux.yml','--ask-vault-pass'])
While running the script it prompts for the password. I want the password to be passed from script only not by the user or passing a password file.
Is there a way to pass the password here? I have other ansible vault option like vault-password etc but that doesn't serve my purpose.
Instead of using the cmdline ansible-vault, you can use the Python package - ansible-vault which will allow you to hardcode the password inside the script itself:
from ansible_vault import Vault
vault = Vault('password')
main_data = vault.load(open('main.yml').read())
linux_data = vault.load(open('linux.yaml').read())
As you are hardcoding the password inside the code, ensure you don't commit this code anywhere or send it to anyone, it's a serious security risk.
I'm trying to get all project list from bit bucket, using username and app password. But getting 401 error.
I'm using atlasian python library for client connection, and below is the code.
bitbucket = Bitbucket(url='https://api.bitbucket.org',username="",password="")
data = bitbucket.project_list()
for data in data:
print(data)
Even tried with bitbucket user name and password still same.
Is there any way to generate key or something which can be used all the time not like oauth as it has expiration time.
You need to use App passwords as mentioned here
Using an app password
An app password is a substitute password for your user account, when authenticating with Bitbucket:
your Bitbucket username (not email) which can be found in the settings
the app password
I am attempting to create a login tool for my work which will log me in to various sites that log me out after 3 minutes of inactivity. I have gotten it to work on a number of sites, but none have required an MFA token. I currently use Google Authenticator but can also use an email, or a couple different options. How would I go about getting that code programmatically to make my login process much faster? I am using Selenium as I need to use the webpage after I log into it. Here is my code thus far:
def loginsys():
driver = webdriver.Chrome('C:/path/to/chromedriver.exe')
driver.get('https://www.specifiedurl.com/login')
username = driver.find_element_by_id('txtUsername')
password = driver.find_element_by_id('txtPassword')
username.send_keys("myusername")
password.send_keys("mypassword")
driver.find_element_by_name('btnLogin').click()
### This is where I need to do MFA as it will not pull the next page without it
driver.get('https://www.specifiedurl.com/page/after/login')
Thoughts? (Obviously, this is not the url, nor is that my actual username or password)
Check the pyotp library. You can get the MFA key associated with google authentication as shown below.
from pyotp import *
# get the token from google authentication
totp = TOTP("your 16 character security token goes here")
token = totp.now()
print (token)
# now you can use token in your script
I have a script which will log into a STMP server (GMail's) to send an email notification. How can I do this without distributing the password in plain text?
Have the script request the password when running.
Note, I wouldn't advise that it accept the password as a command line argument as this isn't very secure because it will be logged in the command history etc.
You can have the script look for an environmental variable for the password:
import os
password = os.environ['GMAIL_PASSWD']
check if your provider offers an smtp server that doesn't require authentication and use that instead.