diff --git a/SUMMARY.md b/SUMMARY.md index ac9fbae..09da07f 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -111,7 +111,7 @@ ## NATS Tools * [Introduction](nats-tools/nats-tools.md) -* [mkpasswd](nats-tools/mkpasswd.md) +* [nats](nats-tools/natscli.md) * [nk](nats-tools/nk.md) * [nsc](nats-tools/nsc/README.md) * [Basics](nats-tools/nsc/nsc.md) diff --git a/developing-with-nats/security/userpass.md b/developing-with-nats/security/userpass.md index a36789b..8609dff 100644 --- a/developing-with-nats/security/userpass.md +++ b/developing-with-nats/security/userpass.md @@ -6,12 +6,14 @@ For this example, start the server using: > nats-server --user myname --pass password ``` -You can encrypt passwords to pass to `nats-server` using a simple [tool](../../nats-tools/mkpasswd.md) provided by the server: +You can encrypt passwords to pass to `nats-server` using a simple [tool](../../nats-tools/natscli.md): ```bash -> go run mkpasswd.go -p -> password: password -> bcrypt hash: $2a$11$1oJy/wZYNTxr9jNwMNwS3eUGhBpHT3On8CL9o7ey89mpgo88VG6ba +> nats server passwd +? Enter password [? for help] ********************** +? Reenter password [? for help] ********************** + +$2a$11$qbtrnb0mSG2eV55xoyPqHOZx/lLBlryHRhU3LK2oOPFRwGF/5rtGK ``` and use the hashed password in the server config. The client still uses the plain text version. diff --git a/docs/nats_tools/README.md b/docs/nats_tools/README.md index 4de99cb..2da3bb1 100644 --- a/docs/nats_tools/README.md +++ b/docs/nats_tools/README.md @@ -2,7 +2,7 @@ The NATS Ecosystem has many tools to support server configuration, enhance monitoring or tune performance: -- [mkpasswd](nats_tools/mkpasswd.md) - Generates or bcrypts passwords +- [nats](nats_tools/natscli.md) - Interact with and manage NATS - [nk](nats_tools/nk.md) - Generate NKeys - [nsc](nats_tools/nsc/README.md) - Configure Operators, Accounts and Users - [nats account server](nats_tools/nas/README.md) - Serve Account JWTs diff --git a/nats-server/configuration/securing_nats/auth_intro/tokens.md b/nats-server/configuration/securing_nats/auth_intro/tokens.md index 2500735..f786590 100644 --- a/nats-server/configuration/securing_nats/auth_intro/tokens.md +++ b/nats-server/configuration/securing_nats/auth_intro/tokens.md @@ -29,12 +29,14 @@ Listening on [>] Tokens can be bcrypted enabling an additional layer of security, as the clear-text version of the token would not be persisted on the server configuration file. -You can generate bcrypted tokens and passwords using the [`mkpasswd`](../../../../nats-tools/mkpasswd.md) tool: +You can generate bcrypted tokens and passwords using the [`nats`](../../../../nats-tools/natscli.md) tool: ```text -> mkpasswd -pass: dag0HTXl4RGg7dXdaJwbC8 -bcrypt hash: $2a$11$PWIFAL8RsWyGI3jVZtO9Nu8.6jOxzxfZo7c/W0eLk017hjgUKWrhy +> nats server passwd +? Enter password [? for help] ********************** +? Reenter password [? for help] ********************** + +$2a$11$PWIFAL8RsWyGI3jVZtO9Nu8.6jOxzxfZo7c/W0eLk017hjgUKWrhy ``` Here's a simple configuration file: diff --git a/nats-server/configuration/securing_nats/auth_intro/username_password.md b/nats-server/configuration/securing_nats/auth_intro/username_password.md index f1b3d13..ee52e4e 100644 --- a/nats-server/configuration/securing_nats/auth_intro/username_password.md +++ b/nats-server/configuration/securing_nats/auth_intro/username_password.md @@ -30,12 +30,14 @@ authorization: { ## Bcrypted Passwords -Username/password also supports bcrypted passwords using the [`mkpasswd`](../../../../nats-tools/mkpasswd.md) tool. Simply replace the clear text password with the bcrypted entries: +Username/password also supports bcrypted passwords using the [`nats`](../../../../nats-tools/natscli.md) tool. Simply replace the clear text password with the bcrypted entries: ```text -> mkpasswd -pass: (Uffs#rG42PAu#Oxi^BNng -bcrypt hash: $2a$11$V1qrpBt8/SLfEBr4NJq4T.2mg8chx8.MTblUiTBOLV3MKDeAy.f7u +> nats server passwd +? Enter password [? for help] ********************** +? Reenter password [? for help] ********************** + +$2a$11$V1qrpBt8/SLfEBr4NJq4T.2mg8chx8.MTblUiTBOLV3MKDeAy.f7u ``` And on the configuration file: @@ -44,7 +46,7 @@ And on the configuration file: authorization: { users: [ {user: a, password: "$2a$11$V1qrpBt8/SLfEBr4NJq4T.2mg8chx8.MTblUiTBOLV3MKDeAy.f7u"}, - ... + ... ] } ``` diff --git a/nats-tools/mkpasswd.md b/nats-tools/mkpasswd.md deleted file mode 100644 index 0da545f..0000000 --- a/nats-tools/mkpasswd.md +++ /dev/null @@ -1,52 +0,0 @@ -# mkpasswd - -The server supports hashing of passwords and authentication tokens using `bcrypt`. To take advantage of this, simply replace the plaintext password in the configuration with its `bcrypt` hash, and the server will automatically utilize `bcrypt` as needed. - -A utility for creating `bcrypt` hashes is included with the nats-server distribution \(`util/mkpasswd.go`\). Running it with no arguments will generate a new secure password along with the associated hash. This can be used for a password or a token in the configuration. - -## Installing `mkpasswd` - -If you have [go installed](https://golang.org/doc/install), you can easily install the `mkpasswd` tool by doing: - -```text -go get github.com/nats-io/nats-server/util/mkpasswd -``` - -Alternatively, you can: - -```text -git clone git@github.com:nats-io/nats-server -cd nats-server/util/mkpasswd -go install mkpasswd.go -``` - -## Generating bcrypted passwords - -With `mkpasswd` installed: - -```text -> mkpasswd -pass: #IclkRPHUpsTmACWzmIGXr -bcrypt hash: $2a$11$3kIDaCxw.Glsl1.u5nKa6eUnNDLV5HV9tIuUp7EHhMt6Nm9myW1aS -``` - -If you already have a password selected, you can supply the `-p` flag on the command line, enter your desired password, and a `bcrypt` hash will be generated for it: - -```text -> mkpasswd -p -Enter Password: ******* -Reenter Password: ****** -bcrypt hash: $2a$11$3kIDaCxw.Glsl1.u5nKa6eUnNDLV5HV9tIuUp7EHhMt6Nm9myW1aS -``` - -To use the password on the server, add the hash into the server configuration file's authorization section. - -```text - authorization { - user: derek - password: $2a$11$3kIDaCxw.Glsl1.u5nKa6eUnNDLV5HV9tIuUp7EHhMt6Nm9myW1aS - } -``` - -Note the client will still have to provide the plain text version of the password, the server however will only store the hash to verify that the password is correct when supplied. - diff --git a/nats-tools/nats-tools.md b/nats-tools/nats-tools.md index 6468420..6b61f00 100644 --- a/nats-tools/nats-tools.md +++ b/nats-tools/nats-tools.md @@ -2,7 +2,7 @@ The NATS Ecosystem has many tools to support server configuration, enhance monitoring or tune performance: -* [mkpasswd](mkpasswd.md) - Generates or bcrypts passwords +* [nats](natscli.md) - Interact with and manage NATS * [nk](nk.md) - Generate NKeys * [nsc](nsc/) - Configure Operators, Accounts and Users * [nats account server](nas/) - Serve Account JWTs diff --git a/nats-tools/natscli.md b/nats-tools/natscli.md new file mode 100644 index 0000000..ed4b303 --- /dev/null +++ b/nats-tools/natscli.md @@ -0,0 +1,59 @@ +# natscli + +A command line utility to interact with and manage NATS. + +This utility replaces various past tools that were named in the form `nats-sub` and `nats-pub`, adds several new capabilities and support full JetStream management. + +Check out the repo for more details: [github.com/nats-io/natscli](https://github.com/nats-io/natscli). + +## Installing `nats` + +For macOS: + +``` +> brew tap nats-io/nats-tools +> brew install nats-io/nats-tools/nats +``` + +For Arch Linux: + +``` +> yay natscli +``` + +For Docker: + +``` +docker pull synadia/nats-box:latest + +docker run -ti synadia/nats-box +``` + +Binaries are also available as [GitHub Releases](https://github.com/nats-io/natscli/releases). + +## Generating bcrypted passwords + +The server supports hashing of passwords and authentication tokens using `bcrypt`. To take advantage of this, simply replace the plaintext password in the configuration with its `bcrypt` hash, and the server will automatically utilize `bcrypt` as needed. + +The `nats` utility has a command for creating `bcrypt` hashes. This can be used for a password or a token in the configuration. + +With `nats` installed: + +```plain +> nats server passwd +? Enter password [? for help] ********************** +? Reenter password [? for help] ********************** + +$2a$11$3kIDaCxw.Glsl1.u5nKa6eUnNDLV5HV9tIuUp7EHhMt6Nm9myW1aS +``` + +To use the password on the server, add the hash into the server configuration file's authorization section. + +``` + authorization { + user: derek + password: $2a$11$3kIDaCxw.Glsl1.u5nKa6eUnNDLV5HV9tIuUp7EHhMt6Nm9myW1aS + } +``` + +Note the client will still have to provide the plain text version of the password, the server however will only store the hash to verify that the password is correct when supplied.