API basic auth not working
fishfox last edited by Tom Elliott
Auth via keys is working but not via user & password
christian@SuperDuper$ curl -H 'Content-Type: application/json' 'http://fog.home/fog/task/active' -u api:password -vvv * Trying 192.168.166.109... * Connected to fog.home (192.168.166.109) port 80 (#0) * Server auth using Basic with user 'api' > GET /fog/task/active HTTP/1.1 > Host: fog.home > Authorization: Basic YXBpOnBhc3N3b3Jk > User-Agent: curl/7.47.0 > Accept: */* > Content-Type: application/json > < HTTP/1.1 403 Forbidden < Date: Thu, 24 May 2018 04:38:01 GMT < Server: Apache/2.4.33 (Ubuntu) < X-Frame-Options: sameorigin < X-XSS-Protection: 1; mode=block < X-Content-Type-Options: nosniff < Strict-Transport-Security: max-age=31536000 < Content-Security-Policy: default-src 'none';script-src 'self' 'unsafe-eval';connect-src 'self';img-src 'self' data:;style-src 'self' 'unsafe-inline';font-src 'self'; < Access-Control-Allow-Origin: * < Content-Length: 0 < Connection: close < Content-Type: application/json < * Closing connection 0
By contrast this works fine:
curl -H 'fog-api-token: MzkyNmQ3MWNkMjNjOTk1MzNiZDU0MzM2MTg3OTQ3MjZiZmI1NjhiNDlhMjM2NDkxMmU5ZjE0YWNkNGUyNGM4MmJhYmZjMDkzMjkyZjFiODIzY2Y0ODQ3M2ZmZjAxYjNmYmZmMDc2NzY1ZmY0ZsomemissingForSecurityreasons' -H 'fog-user-token: OTc3YjkzNDY2NzY5YjQ1OGEzOWE1MTE2Yjc2ZGVlYzI3YzE3ZmQ4MGMyMDZiNjUyYTk3YjRlMjIyYTllYjM0ZGJhYWY3Nuserinfomissingforsecurityreasons' -H 'Content-Type: application/json' -X GET 'http://fog.home/fog/task/active'
Has this feature been depreciated or something?
For background I want to use basic auth because I will be performing a mass deployment to many isolated networks. The network is providing the security and I want not to worry about API credentials in my scripts.
MOD NOTE: Edited to remove portion of API Token as this is a security hazard.
It also appears you’re missing the actual FOG-API-TOKEN header.
curl -H 'fog-api-token: YourFOGAPITokenHere' -H 'Content-type: application/json' -u api:password 'http://fog.home/fog/task/active' -vvv
@fishfox I’d recommend using api tokens as they don’t change and if your scripts get out you don’t have a compromised user account, simple update the user token and viola you’re done.
Basic auth should still work though I’ll admit it’s been a bit since I last tested it. Just remember if the password has special characters like
$ ! \and likely others the user and pass string would likely need to be escaped either by double quotes or \
I’ll test with basic auth and see if the command you’re using is just not quite correct too.