Closed ChristofferLB closed 9 months ago
Hi,
The Commander uses configuration file to keep instance/device context. The default location for this file is $HOME/.keeper/config.json
.
If this file is not found or corrupted the Commander creates a new one and the backend starts the full login flow.
It includes
It is essential that the Commander running in unattended mode preserves device configuration stored in the config.json
file.
Please
config.json
file is properly configured (device is approved and 2fa is not asked) params = get_params_from_config("config.json")
params = KeeperParams()
creates a new configuration file that triggers the full login flow.
Hi,
Thanks for the info.
I managed, with your input, to get it working.
Since an Azure runbook doesn't support persistent files I'm adding the necessary file everytime the script runs into a temp directory. Not the best solution, but we need to use a runbook for now.
I first signed in to Keeper using the browser in order to get the necessary config.json data that has gotten a device approval already. This data is then added into the variable "config_file" and then written to disk.
from keepercommander.__main__ import get_params_from_config
config_file = """{
"user": "removed",
"server": "removed",
"clone_code": "removed",
"device_token": "removed",
"private_key": "removed"
}"""
f = open(r"C:\Users\ContainerUser\AppData\Local\Temp\config.json", "w+")
f.write(config_file)
f.close()
params = get_params_from_config(r"C:\Users\ContainerUser\AppData\Local\Temp\config.json")
Hi,
Just a security-related suggestion: In lieu of hard-coding your credentials in the script (which would pose a security-risk if you're using a centralized versioning system like Github that others can view), you might want to take advantage of Azure's credential assets, whose values can be retrieved from w/in your script, as documented here: https://learn.microsoft.com/en-us/azure/automation/shared-resources/credentials?tabs=azure-powershell
In addition, you also have the option (though a possibly less secure one) to store those credential values as input parameters for your Runbook instance and retrieve them in your script, as shown here: https://learn.microsoft.com/en-us/azure/automation/runbook-input-parameters.
On Wed, Dec 20, 2023 at 12:40 AM ChristofferLB @.***> wrote:
Hi,
Thanks for the info.
I managed, with your input, to get it working.
Since an Azure runbook doesn't support persistent files I'm adding the necessary file everytime the script runs into a temp directory. Not the best solution, but we need to use a runbook for now.
I first signed in to Keeper using the browser in order to get the necessary config.json data that has gotten a device approval already. This data is then added into the variable "config_file" and then written to disk.
from keepercommander.main import get_params_from_config config_file = """{ "user": "removed", "server": "removed", "clone_code": "removed", "device_token": "removed", "private_key": "removed" }"""
f = open(r"C:\Users\ContainerUser\AppData\Local\Temp\config.json", "w+") f.write(config_file) f.close()
params = get_params_from_config(r"C:\Users\ContainerUser\AppData\Local\Temp\config.json")
— Reply to this email directly, view it on GitHub https://github.com/Keeper-Security/Commander/issues/1154#issuecomment-1863932790, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZDPG4NNE3YDSN4NOIE27TTYKKB4NAVCNFSM6AAAAABAU4CYPKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRTHEZTENZZGA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
--
Ayrris Aunario | Senior Software Engineer
Mobile 773.986.1194
This email is confidential and is intended for the recipient(s) addressed herein
Hi again,
Thanks for the suggestion.
I'm was not planning to hardcode any of the sensitive strings, but rather fetch them during runtime using the built-in automation credentials feature.
Just out of curiosity - Which of the strings in the config file would you say is worth fetching instead of hardcoding in the code?
Hi Christoffer,
I would say the following config fields are probably the most sensitive (note - your usage of these fields may vary depending on how you choose to do login authentication) : 1) "device_token" 2) "private_key" 3) "clone_code" 3) "user" 4) "password"
On Tue, Jan 2, 2024 at 8:49 AM ChristofferLB @.***> wrote:
Hi again,
Thanks for the suggestion.
I'm was not planning to hardcode any of the sensitive strings, but rather fetch them during runtime using the built-in automation credentials feature.
Just out of curiosity - Which of the strings in the config file would you say is worth fetching instead of hardcoding in the code?
— Reply to this email directly, view it on GitHub https://github.com/Keeper-Security/Commander/issues/1154#issuecomment-1874120476, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZDPG4LDYSYHHHNWHVFJU23YMQM7NAVCNFSM6AAAAABAU4CYPKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZUGEZDANBXGY . You are receiving this because you commented.Message ID: @.***>
--
Ayrris Aunario | Senior Software Engineer
Mobile 773.986.1194
This email is confidential and is intended for the recipient(s) addressed herein
Hi,
I have a use case where I want to have an automation runbook in Azure creating and sharing records in Keeper. I've tried to integrate with the Keeper Commander modules but keep getting stuck in the login phase, it keeps prompting me for Device Approval in my runbook.
We have a container setup for Device Approval, which works fine. This account is a local account within Keeper and I can login in the web browser (incognito) and using Keeper Commander locally using a master password without getting this Device Approval. When I run the code in my runbook it does prompt me for approval for some reason.
The login code looks like this.
I've tried both with generating params with the class and using a file and also hard-coding the credentials, same result. The code runs fine locally in VS Code and I'm able to sign in without getting prompted for Device Approval. I can see the successful sign in in the "Recent Activity" in the admin console.
The code that generates the approval prompt is most likely:
Can you share some insight why I get this in the runbook and how I can fix it?
Thanks a lot!