What Password Managers available in Linux

List of Password Managers that are available in Linux?

Aside from BitWarden. I want to know some alternatives you guys are using. Prefer it’s standalone program instead of browser plugin or extensions.

ANSWER

I am using KeePassXC personally for some time. 1Password for work-related stuffs.

The first one is a KeePass variant and open-source. It has a Qt-based application that has been available for Linux for a while. Then, 1Password support in Linux was in beta since last year. Recently it has been moved out of beta.

Others I know off the top of my head,

  • AuthPass
  • Password Safe (for Gnome DE)
  • KeePassX (where KeePassXC was forked)

WorPress Editor Won’t Load Content Anymore

Got this weird WordPress behaviour recently. While most pages load successfully, editing something – like a post or a page – will draw a blank browser tab. Zero content whatsoever. It has the same result for both Firefox and Chrome. Not tried on other browsers.

ANSWER

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'unsafe-inline'

This was the error that I got when I went into the page, opened developer tools, then reloaded the page.

Caused by additional custom Header policy on the web server of the website. Looks something like this:

Header set Content-Security-Policy "default-src 'unsafe-inline' 

Add ‘unsafe-eval’ to go around it. Use of eval() is usually considered bad practice and not secure hence it’s getting blocked until it is allowed by adding it into the policy. Now the Header will look like this after modifying it. Don’t forget to restart the web server.

Header set Content-Security-Policy "default-src 'unsafe-inline' 

More detailed explanations can be had here: https://scotthelme.co.uk/content-security-policy-an-introduction/

Secure way to send API key

I am developing an SDK which users would use to access my service
The authorization is done using an API key, which is unique to each user.
SDK makes API calls to my server using the provided API Key

My question is how do I secure the API Key passed in as a header in the API calls?
Should I encrypt the key while sending it over the network using RSA? But, then there will be two issues:

  1. Shipping a public key with the SDK
  2. Overhead of reading keys from file for every API call

Is there a better approach to this?

Go to Source
Author: saintlyzero

Can security modules completely override Linux Kernel’s access model?

I am aware of Apparmor and specifically how it can be used to limit a program’s access rights where of the file-system permissions otherwise allow. What I’m less clear on is whether it’s possible for Apparmor or any similar security module to completely override a program’s access rights. Can they grant a program access to read/write/execute files that the user otherwise has no access to.

I’m asking for what the Linux Kernel will allow such a security module to do, not what existing security modules can be configured to do.

Can security modules completely override Linux Kernel’s access model?

Go to Source
Author: Philip Couling

Active Directory Name Change

Our Active directory will change the accounts name for example John Doe Jdoe@abcd.com to John.Doe@abcd.com.

My question is do I need to change all the SQL Logins individually or the person can login to SQL server management studio with their old names. What also happens if the login is an owner of a database or job.

Go to Source
Author: SQL_NoExpert

Tor Browser GENERIC VERIFICATION FAILED

I am using Linux Mint 19.3. The problem is when I installed Tor this error GENERIC VERIFICATION FAILED raises during downloading the packages. I tried too many solutions but they did not solve the issue. I tried the following:

  1. gpg --homedir "$HOME/.local/share/torbrowser/gnupg_homedir/" --refresh-keys --keyserver pgp.mit.edu
  2. gpg --homedir "$HOME/.local/share/torbrowser/gnupg_homedir/" --refresh-keys --keyserver pool.sks-keyservers.net

Go to Source
Author: Hassan

Does `npm audit` add any value when using `dependabot`

Context

There are multiple ways to scan projects for vulnerabilities.

Dependabot can be configured to check repositories for issues, and automatically submits pull requests to resolve.

NPM Audit will scan the packages used in an NPM solution for known vulnerabilities.

We’re trying to work out whether, if Dependabot is enabled, there’s any added value to using NPM Audit in our pipelines. I’m asking this solely from the perspective of what’s detected; not how the tools work (i.e. whether they can cause a pipeline to block/fail).

The actual question

Do both tools base their decisions on some common known-issue database, or is it common to see each tool detect different sets of problems?

Go to Source
Author: JohnLBevan

What is a recommended authentication architecture for a front GUI app that I want to control but that will be used by others to control their servers?

I have a front end (WEB GUI) app that I designed (Python for now + JavaScript in the future) that I use to access a controller, it uses REST APIs.

I want to publish this app in the cloud so that others could use it.

The biggest issue I am seeing is the security side as the app needs to authenticate with the remote server (a controller itself) and start sending tasks to the controller that will translate that in internal REST APIs to control for processes on downstream servers

Is there an authentication flow that will guarantee the owners of the controllers that I (the publisher of the front end) do not intercept the authentication flow and I gain unwanted access to their servers ?

My idea is to use a two steps authentication/authorization process like below. Is there a better way?
Please edit this diagram if you have suggestions
enter image description here

Go to Source
Author: MiniMe