Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Zanzibar is a utility to retrieve secrets from a Secret Server installation. It supports retrieval of a password, public/private key, or secret attachment.
Add this line to your application's Gemfile:
gem 'zanzibar'
And then execute:
$ bundle
Or install it yourself as:
$ gem install zanzibar
In your ruby project, rakefile, etc., create a new Zanzibar object.
The constructor takes a hash of optional parameters for the WSDL location, the domain of the Secret Server, a hash of global variables to pass to savon (necessary for windows environments with self-signed certs) and a password for the current user (intended to be passed in through some encryption method, unless you really want a plaintext password there).
All of these parameters are optional and the user will be prompted to enter them if they are missing.
my_object = Zanzibar::Zanzibar.new(:domain => 'my.domain.net', :wsdl => 'my.scrt.srvr.com/webservices/sswebservice.asmx?wdsl', :pwd => get_encrypted_password_from_somewhere)
Example:
require 'zanzibar'
## Constructor takes hash as argument, all optional :domain, :wsdl, :pwd, :globals
secrets = Zanzibar::Zanzibar.new(:domain => 'mydomain.net', :wsdl => "https://my.scrt.server/webservices/sswebservice.asmx?wsdl")
# On windows with self-signed certs,
# Zanzibar::Zanzibar.new(:domain => 'mydomain.net', :wsdl => "https://my.scrt.server/webservices/sswebservice.asmx?wsdl", :globals => {:ssl_verify_mode => :none})
## Simple password -> takes secret id as argument
secrets.get_password(1234)
## Private Key -> takes hash as argument, requires :scrt_id, :type, optional :scrt_item_id, :path
secrets.download_secret_file(:scrt_id => 2345, :path => 'secrets/', :type => "Private Key")
## Public Key -> takes hash as argument, requires :scrt_id, :type, optional :scrt_item_id, :path
secrets.download_secret_file(:scrt_id => 2345, :path => 'secrets/', :type => "Public Key")
## Attachment; only supports secrets with single attachment -> takes hash as argument, requires :scrt_id, :path, optional :scrt_item_id, :path
secrets.download_secret_file(:scrt_id => 2345, :path => 'secrets/', :type => "Attachment")
Zanzibar has several ways of finding Secret Server credentials. It will use credentials discovered in this order:
Zanzibar::Zanzibar.new(:username=>'auser', :password=>'itsmyPassword')
ZANZIBAR_USER
exists, it will use that.
USER
ZANZIBAR_PASSWORD
exists, it will use that.Zanzibar comes bundled with the zanzibar
command-line utility that can be used
for fetching passwords and downloading keys from outside of Ruby scripts.
zanzibar
supports most actions provided by Zanzibar itself. Because it operates
on the command-line, it can be used as part of a pipeline or within a bash script.
# if ZANZIBAR_PASSWORD is not set, you will be prompted to enter your password.
# this will download the private key from secret 1984 to the current directory
$ ZANZIBAR_PASSWORD=`gpg -d secretpasswd.txt.gpg` zanzibar get 1984 -s server.example.com -d example.com -f "Private Key"
$ ssh user@someremote -i ./private_key
The zanzibar
command can also perform bundler-like actions.
Running zanzibar init
will generate a Zanzifile
in the current directory.
Information about Secret Server and the necessary secret files to be downloaded
can be added here.
Then zanzibar bundle
will try to download the secrets named in the file.
When it downloads a file, it gets added to Zanzifile.resolved
. And next time
zanzibar bundle
is run, if the file exists and the hash matches the one in the
resolved
file, it will not attempt to re-download. zanzibar update
will attempt
to re-download all secrets.
Subdirectories under the root directory secret_dir
can be created for individual keys by specifying a prefix
path for that secret. Secrets will default to be downloaded to the root secret_dir
directory otherwise.
Note: zanzibar get
can fetch passwords or files, but zanzibar bundle
can
only operate on secret files.
Sample Zanzifile
:
---
settings:
wsdl: my.scrt.srvr.com/webservices/sswebservice.asmx?wsdl
domain: my.domain.net
secret_dir: secrets/
ignore_ssl: true
secrets:
ssh_key:
id: 249
label: Private Key
prefix: ssh/
encryption_key:
id: 483
label: Attachment
cert_pem:
id: 123
label: Certificate
cert_key:
id: 986
label: Misc Attachment
Run zanzibar help
or zanzibar help [command]
for more information.
git checkout -b my-new-feature
)git commit -am 'Add some feature'
)git push origin my-new-feature
)FAQs
Unknown package
We found that zanzibar demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.