<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 2/18/2016 9:10 AM, Bruno Oliveira
wrote:<br>
</div>
<blockquote
cite="mid:CAM5SUC6U1Xt02e4yX0wq=KrXmg_FbU_DA7FTisq=_O0PHwzKug@mail.gmail.com"
type="cite">
<div dir="ltr">I think the Jira created by Stian pretty much fixes
the problem. Nope?</div>
</blockquote>
Stian's JIRA says that if it is not specified on the command line
then do the prompt. But if we still allow setting it from the
command line then the password can still be saved to the log in
plain text. Security auditors will always frown on that.<br>
<br>
So I'm saying we should either disallow setting on the command line
or somehow disable saving to the log. We shouldn't rely on an
administrator to do the right thing.<br>
<br>
<blockquote
cite="mid:CAM5SUC6U1Xt02e4yX0wq=KrXmg_FbU_DA7FTisq=_O0PHwzKug@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Something like:</div>
<div><br>
</div>
<div>./add-user-keycloak.sh -u user</div>
<div>Password: ******</div>
<div><br>
</div>
<div>Or </div>
<div><br>
</div>
<div>./add-user-keycloak-sh</div>
<div>Username: joe</div>
<div>Password: ******</div>
<div><br>
</div>
<div>If this can't fix the issue, is also possible to disable
bash_history temporarily. But I wouldn't take this route,
because this is pretty much system administration
responsibility.</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Feb 18, 2016 at 11:47 AM Stan Silvert
<<a moz-do-not-send="true"
href="mailto:ssilvert@redhat.com">ssilvert@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>On 2/18/2016 2:15 AM, Stian Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 17 February 2016 at 17:09,
Aikeaguinea <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:aikeaguinea@xsmail.com"
target="_blank">aikeaguinea@xsmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">It
seems the add-user.sh script for changing the
admin password only<br>
accepts the password as a -p command-line
parameter. This would expose<br>
the password in the command history, so I'd prefer
not to use the<br>
command in its current form.<br>
</blockquote>
<div><br>
</div>
<div>That's a mistake we'll fix that. If not
specified it should prompt for it. Added <a
moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-2501"
target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2501</a></div>
</div>
</div>
</div>
</blockquote>
</div>
<div text="#000000" bgcolor="#FFFFFF"> After attending several
security talks the last couple of days, I've become rather
sensitized to this kind of issue. I feel quite strongly
that we should never allow the password to be written to
history in plain text. I'm also afraid it could cause us
to flunk government certifications.<br>
<br>
On Windows, this really isn't a problem because command
history is not saved. After a CMD session ends, the history
is lost (unless you install some third-party tool).<br>
<br>
Perhaps there is a way to temporarily disable logging of
command history in the add-user-keycloak.sh?</div>
<div text="#000000" bgcolor="#FFFFFF"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
Is there another way to do this?<br>
<br>
The situation is even more complicated with
Docker, since running the<br>
script to change the Wildfly admin password
requires restarting the<br>
server, which shuts down the container. If you
have an autoscaling<br>
group, the container that gets brought up is not
the container where you<br>
changed the password, but instead the original
container. This seems to<br>
mean that the only way to have Keycloak run in
Dockers in an autoscaling<br>
group is to bake the admin passwords into the
Docker image beforehand.<br>
This isn't ideal; less so if the only way to add
those passwords during<br>
build time is to run the shell script that exposes
the password on the<br>
command line.<br>
</blockquote>
<div><br>
</div>
<div>You need to set the password once for your
database. This can be done prior to accessing the
admin console the first time. Take a look at <a
moz-do-not-send="true"
href="https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md"
target="_blank">https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md</a>,
you can use docker exec to do this.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span><font
color="#888888"><br>
--<br>
<a moz-do-not-send="true"
href="http://www.fastmail.com"
rel="noreferrer" target="_blank">http://www.fastmail.com</a>
- Access your email from home and the web<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
</div>
</blockquote>
<br>
</body>
</html>