UNSOLVED API basic auth not working

  • Auth via keys is working but not via user & password

    christian@SuperDuper$ curl -H 'Content-Type: application/json' 'http://fog.home/fog/task/active' -u api:password -vvv
    *   Trying
    * Connected to fog.home ( port 80 (#0)
    * Server auth using Basic with user 'api'
    > GET /fog/task/active HTTP/1.1
    > Host: fog.home
    > Authorization: Basic YXBpOnBhc3N3b3Jk
    > User-Agent: curl/7.47.0
    > Accept: */*
    > Content-Type: application/json
    < HTTP/1.1 403 Forbidden
    < Date: Thu, 24 May 2018 04:38:01 GMT
    < Server: Apache/2.4.33 (Ubuntu)
    < X-Frame-Options: sameorigin
    < X-XSS-Protection: 1; mode=block
    < X-Content-Type-Options: nosniff
    < Strict-Transport-Security: max-age=31536000
    < Content-Security-Policy: default-src 'none';script-src 'self' 'unsafe-eval';connect-src 'self';img-src 'self' data:;style-src 'self' 'unsafe-inline';font-src 'self';
    < Access-Control-Allow-Origin: *
    < Content-Length: 0
    < Connection: close
    < Content-Type: application/json
    * Closing connection 0

    By contrast this works fine:

    curl -H 'fog-api-token: MzkyNmQ3MWNkMjNjOTk1MzNiZDU0MzM2MTg3OTQ3MjZiZmI1NjhiNDlhMjM2NDkxMmU5ZjE0YWNkNGUyNGM4MmJhYmZjMDkzMjkyZjFiODIzY2Y0ODQ3M2ZmZjAxYjNmYmZmMDc2NzY1ZmY0ZsomemissingForSecurityreasons' -H 'fog-user-token: OTc3YjkzNDY2NzY5YjQ1OGEzOWE1MTE2Yjc2ZGVlYzI3YzE3ZmQ4MGMyMDZiNjUyYTk3YjRlMjIyYTllYjM0ZGJhYWY3Nuserinfomissingforsecurityreasons' -H 'Content-Type: application/json' -X GET 'http://fog.home/fog/task/active'

    Any ideas?
    Has this feature been depreciated or something?

    For background I want to use basic auth because I will be performing a mass deployment to many isolated networks. The network is providing the security and I want not to worry about API credentials in my scripts.


    MOD NOTE: Edited to remove portion of API Token as this is a security hazard.

  • It also appears you’re missing the actual FOG-API-TOKEN header.
    E.G. Try:

    curl -H 'fog-api-token: YourFOGAPITokenHere' -H 'Content-type: application/json' -u api:password 'http://fog.home/fog/task/active' -vvv

  • @fishfox I’d recommend using api tokens as they don’t change and if your scripts get out you don’t have a compromised user account, simple update the user token and viola you’re done.

    Basic auth should still work though I’ll admit it’s been a bit since I last tested it. Just remember if the password has special characters like $ ! \ and likely others the user and pass string would likely need to be escaped either by double quotes or \

    I’ll test with basic auth and see if the command you’re using is just not quite correct too.