[Hawkular-dev] Default user, or alternative realm file?
Juraci Paixão Kröhling
jpkroehling at redhat.com
Wed Mar 11 15:23:44 EDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/11/2015 06:29 PM, Alexandre Mendonca wrote:
> But, I think if the credentials are preset to admin/admin, needing
> to be changed on first login (with whichever strength enforcement
> we decide and keycloak supports) along with email address, it would
> be safe. The only possibility of an attacker logging in with
> default credentials would be for a never configured installation..
> and for that, even the keycloak "master" realm is exposed to the
> same risk.
Right, but it's a risk we don't need, as I see it only as a
convenience rather than a necessity.
> Actually, thinking of it, the "master" realm situation is
> dangerous, if a user never needs to login directly to it, he may
> leave it in "unconfigured" state, where it can be accessed later by
> an attacker.
> So I vote for option 1. And we need to figure a solution for also
> forcing the user to change the default admin/admin of "master"
> realm.
Indeed, I'll create a JIRA for myself to look into it.
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVAJZAAAoJECKM1e+fkPrXMeUH/iepqADxdFvGZcFM98+8p+x1
DvqkS4DTWO9uL3P9G7ph4AsR98YFfFhEZ39sZ+PNBLzY++t/Gk4onih3I26NvFhB
EpTwIbp6XfECBIhKBuGvijUxcXuPl01/55RjBhI3NySaW9T7UfqJSVCu/m33QgDj
Pc7xgUN9xn/f0ym22EUcg9jwZPgqs+HPZB+IBSVqhHubFYFDAaBnkT5AwWRsP47o
CTBkjT1gEtw2sYSZeI3V15MiLhjZt2/diKu/EUqwexQmhHcjRpbOG+vbWKJ7c9Ds
Llnv5RKpeb7ikMT0FivC2p80YrIXVU58poz7zF3cyivKTQJv1YqzV/XhGpcj9Pg=
=rDM9
-----END PGP SIGNATURE-----
More information about the hawkular-dev
mailing list