How to perform a cyberarkpassword lookup for all hosts in an inventory group and write the keys out to individual pem files?

Ansible version 2.7.9

I’m writing an ansible playbook to deploy an piece of software to a linux environment. SSH access to these systems is protected by a CPM (Cyberark), used as an ssh key manager.

I’ve got most of the logic figured out, save for one piece. The playbook needs to loop through hosts in an inventory group, lookup the ssh private key in Cyberark for each host and then use each key to ssh into each host in the inventory group to install the software. I’m struggling with how to make that work in ansible.

I’ve read through the add_host and cyberarkpassword documentation, as well about 4 hours worth of searching stackoverflow and blogs, and couldn’t find a single example even close to what I’m trying to do.

As far as how I think it should work:

  • Using the cyberarkpassword lookup module, loop through hosts in inventory group specified by {{ env }}. Value for this will be passed in through –extra-args.
  • Retrieve the ssh private key for each host.
  • Register the output from the lookup, and copy to disk, again looping through each host, and naming the file with {{ inventory_hostname }}.pem
  • Finally, to consume it in the next play, set a variable ansible_ssh_common_args: "-o StrictHostKeyChecking=no -i {{ deploy_temp_dir}}/keys/{{ inventory_hostname }}.pem"

But I can’t figure out how to put the loop-lookup-write to disk piece together.

Sample inventory file

[local] localhost  [local:vars] ansible_connection=local  [corp:children] corp-onprem-dev corp-onprem-stage corp-onprem-prod corp-cloud-dev corp-cloud-stage corp-cloud-dev  [corp-onprem-dev] host1 host2 host3  [corp-onprem-stage] host1 host2 host3 [corp-onprem-prod] host1 host2 host3 [corp-cloud-dev]  [corp-cloud-stage]  [corp-cloud-prod] 

deploy.yml — this code does not work, just my attempt at figuring it out.

- name: retrieve ssh keys for hosts in the specified group, and write them to disk   hosts: local   gather_facts: no   tasks:     - name: lookup ssh private key for each host       debug: msg={{ lookup("cyberarkpassword", cyquery)}}       vars:         cyquery:           appid: 'myapp'           query: 'Safe=mysafe;Folder=Root;Object={{ env[0] }}'           output: 'Password'       loop: groups['{{ env }}']       register: sshkeys     - name: Copy ssh key to disk       copy:         content: "{{ sshkeys }}"         dest: "{{ deploy_temp_dir }}/keys/{{ env[0] }}.pem"         mode: 0600       loop: {{ env }} 

How does mbedtls RSA work when using raw keys and input for PK encryption?

I am trying to get mbedtls RSA to work on x86. I have test data obtained from an online RSA calculator, and I want to feed raw memory into RSA to encrypt the data.

I am making the following calls:

// verified no errors by stepping mbedtls_rsa_init(&rsa, MBEDTLS_RSA_PKCS_V15, 0); mbedtls_rsa_import_raw(&rsa, publicKey, dataLength,          NULL, 0, NULL, 0, NULL, 0, exponent, exponentSize); mbedtls_rsa_complete(&rsa); mbedtls_rsa_public(&rsa, input, output); mbedtls_rsa_free(&rsa); 

I am passing in public key modulus as verified by multiple online calculators, exponent of 0x010001. I’ve been experimenting with different dataLength values, with the latest test being 96 bytes.

It produces output, but not correct output. If I compare to BCrypt on Windows for example, BCrypt will produce the expected output.

I find an interesting failure – if I reverse the byte order of input, I’ll get a failure, MBEDTLS_ERR_MPI_BAD_INPUT_DATA.

So clearly I don’t understand the mbed APIs, because input should be allowed to be any data. I would only expect an error if I had exponent inconsistent with modulus.

Anyone familiar with these APIs who can give me advice?

How does mbedtls RSA work when using raw keys and input for PK encryption?

I am trying to get mbedtls RSA to work on x86. I have test data obtained from an online RSA calculator, and I want to feed raw memory into RSA to encrypt the data.

I am making the following calls:

// verified no errors by stepping mbedtls_rsa_init(&rsa, MBEDTLS_RSA_PKCS_V15, 0); mbedtls_rsa_import_raw(&rsa, publicKey, dataLength,          NULL, 0, NULL, 0, NULL, 0, exponent, exponentSize); mbedtls_rsa_complete(&rsa); mbedtls_rsa_public(&rsa, input, output); mbedtls_rsa_free(&rsa); 

I am passing in public key modulus as verified by multiple online calculators, exponent of 0x010001. I’ve been experimenting with different dataLength values, with the latest test being 96 bytes.

It produces output, but not correct output. If I compare to BCrypt on Windows for example, BCrypt will produce the expected output.

I find an interesting failure – if I reverse the byte order of input, I’ll get a failure, MBEDTLS_ERR_MPI_BAD_INPUT_DATA.

So clearly I don’t understand the mbed APIs, because input should be allowed to be any data. I would only expect an error if I had exponent inconsistent with modulus.

Anyone familiar with these APIs who can give me advice?

Generate & secure private keys in a private network

I have seen latest mobile authentication solution where private key is generated and kept securely in a Secure Enclave/TrustZone and public key is sent to authentication server on a cloud. During User authentication, the private key is used to sign a message which can only be verified by the paired public key held by the authentication server.

Based on above concept, is it a good idea to generate cryptographic keys for each user and save private key in a secure private network somewhere in a directory or database ? and use that to verify the identity of a user on an authentication server which is on cloud?

Additional context: User details are in a private network and auth server is on cloud.

has 3 IOS Distribution certificates but their private keys are not installed


bom.. quando vou tentar gerar um arquivo para poder atualizar meu aplicativo na app store, eu vou em validar app no xcode 10 e encontro esse problema .. mac foi formatado recente e não teve como fazer backup.. conforme a imagem abaixo , gostaria de saber uma solução para meu problema.. queria saber também se independe da resposta, terei como atualizar meus apps na app store

Storing users’ private keys to clone git repositories on their behalf

Let’s say I have a multi-user application deployed in a customer’s data center that needs to clone/update git repositories – both “interactively” when a user is creating a new project (which consists of 1-N git repositories) and “in the background” when the app is updating those projects and running analyses on them.

The way I’m doing it right now is that admins will configure git with proper ssh key on the machine where the app is installed and the key is then used automatically by git to do all the required clone/pull operations.

However, there’s a problem with the aforementioned approach: In some configurations, not all users of the application are supposed to have access too all projects/repositories. But (since the git ssh key is “shared”) they can clone all the repositories that are accessible using the key (assuming they know the URL of a repository) even though they wouldn’t be able to access such repositories normally.

To fix this, I’d need to make sure that users are only able to clone repositories to which they really do have access. I can only think of two possible solutions:

  1. Build a proper integration with all possible Git providers (GitHub, GitLab, Bitbucket, Team Foundation Server, etc.) and authenticate users via these providers APIs. Then store users’ access tokens and use them to perform git operations (via HTTPS-like git URLs).
  2. Require each user (capable of creating a new project) upload their private ssh key which will be used to perform all git operations for all projects they create.

Option 1 sounds really complex and isn’t really compatible with the current design and existing installations. And not all git providers (including custom git servers) may give us proper authentication options via “access tokens”.

Option 2 means that we’d need to get ssh keys for all users capable of creating a new project and then store those ssh keys somewhere (possibly in a database).
This sounds bad. I’ve read two related questions (How to securely store users' private keys? and Storing User's Private Keys in DB) and it only confirms my worries.
Is this still a reasonable approach to follow in our case or should we avoid it by all means? Any other options we could use or extra preventive measures we should implement? (remember the app won’t be installed on our servers so the things we can do on that level are limited)

Side note: One other option we thought of would be to make users use “Basic” authentication with git, that is specify git clone URLs like https://user:token@github.com/org/repo. However, we don’t like this as much since it’s still difficult to manage and users have to enter credentials in plaintext (this already proved to be easy-to-leak). It’s, however, a zero-effort on our side so it’s appealing from that point of view :).

Apple Wireless Keyboard on Windows PC – How to make FN and Eject keys work?

I have Apple Wireless Keyboard (A1255, from 2007, US English layout) and I want to use it on non-Apple, Windows PC. But I have two problems.

First, it is that Windows does not detect when “fn” and eject is pressed on. Second – I want to rebind/swap these keys: “fn” to control (and left control to fn) and eject to delete. I installed BootCamp on my machine but it has not changed anything.

Thanks for any help.

How to correctly setup Crashlytics in iOS app with own framework in order to get logs and keys from the framework?

I have a Xcode project in which the data layer is separated in a framework in order to be shared between the main iOS app and the Today extensions. I have followed the general setup instructions here and the instruction for multiple targets here. I do get crash reports from both the app and the data framework. However, in the crash report I find only logs (CLSLog(@"Bla bla")) and keys ([CrashlyticsKit setObjectValue:@"value" forKey:@"key"]) from the main app. Logs and keys from the data framework are not recorded in the crash report even though I have verified code passes through them. As a simple example – user logs in and I set the user identifier from the data framework; then a crash happens in the app and in the crash report there is no user identifier.

I have seen this topic in which the recommendation is to not include Crashlytics in a framework that is intended to be distributed as a third party library. This is not a concern in my case and it also hints at the possibility of including Crashlytics both in the app and framework.

So my questions are:

  1. Is it possible at all to get crash reports with logging and keys from both the main app and the framework?
  2. If yes – what is the correct setup?

Which KEK can wrap AES, RSA and ECDSA keys securely?

If I have AES256, RSA4K and ECDSA-512 keys as CEKs, which I need to securely store, what KEK can I use to securely wrap these without reducing the bit strength? I am aware that an AES256 key can wrap RSA4K without reducing the bit-strength (RFC 3394 and 5649). Can an AES256 key wrap another AES256 securely? Is the same true for AES ECDSA-512 wrap as well? Is there an RFC standard?