<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <div class="moz-cite-prefix">On 2/18/2016 2:15 AM, Stian Thorgersen

      wrote:<br>

    </div>

    <blockquote

cite="mid:CAJgngAeP0CGdzwk+HhGycY-GBounRoGtRZCB97HWNo89CZEAKw@mail.gmail.com"

      type="cite">

      <div dir="ltr"><br>

        <div class="gmail_extra"><br>

          <div class="gmail_quote">On 17 February 2016 at 17:09,

            Aikeaguinea <span dir="ltr">&lt;<a moz-do-not-send="true"

                href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a>&gt;</span>

            wrote:<br>

            <blockquote class="gmail_quote" style="margin:0px 0px 0px

0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">It

              seems the add-user.sh&nbsp; script for changing the admin

              password only<br>

              accepts the password as a -p command-line parameter. This

              would expose<br>

              the password in the command history, so I'd prefer not to

              use the<br>

              command in its current form.<br>

            </blockquote>

            <div><br>

            </div>

            <div>That's a mistake we'll fix that. If not specified it

              should prompt for it. Added <a moz-do-not-send="true"

                href="https://issues.jboss.org/browse/KEYCLOAK-2501">https://issues.jboss.org/browse/KEYCLOAK-2501</a></div>

          </div>

        </div>

      </div>

    </blockquote>

    After attending several security talks the last couple of days, I've

    become rather sensitized to this kind of issue.&nbsp; I feel quite

    strongly that we should never allow the password to be written to

    history in plain text.&nbsp;&nbsp; I'm also afraid it could cause us to flunk

    government certifications.<br>

    <br>

    On Windows, this really isn't a problem because command history is

    not saved.&nbsp; After a CMD session ends, the history is lost (unless

    you install some third-party tool).<br>

    <br>

    Perhaps there is a way to temporarily disable logging of command

    history in the add-user-keycloak.sh?<br>

    <br>

    <blockquote

cite="mid:CAJgngAeP0CGdzwk+HhGycY-GBounRoGtRZCB97HWNo89CZEAKw@mail.gmail.com"

      type="cite">

      <div dir="ltr">

        <div class="gmail_extra">

          <div class="gmail_quote">

            <div>&nbsp;</div>

            <blockquote class="gmail_quote" style="margin:0px 0px 0px

0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>

              Is there another way to do this?<br>

              <br>

              The situation is even more complicated with Docker, since

              running the<br>

              script to change the Wildfly admin password requires

              restarting the<br>

              server, which shuts down the container. If you have an

              autoscaling<br>

              group, the container that gets brought up is not the

              container where you<br>

              changed the password, but instead the original container.

              This seems to<br>

              mean that the only way to have Keycloak run in Dockers in

              an autoscaling<br>

              group is to bake the admin passwords into the Docker image

              beforehand.<br>

              This isn't ideal; less so if the only way to add those

              passwords during<br>

              build time is to run the shell script that exposes the

              password on the<br>

              command line.<br>

            </blockquote>

            <div><br>

            </div>

            <div>You need to set the password once for your database.

              This can be done prior to accessing the admin console the

              first time. Take a look at&nbsp;<a moz-do-not-send="true"

href="https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md">https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md</a>,

              you can use docker exec to do this.</div>

            <div>&nbsp;</div>

            <blockquote class="gmail_quote" style="margin:0px 0px 0px

0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span

                class=""><font color="#888888"><br>

                  --<br>

                  <a moz-do-not-send="true"

                    href="http://www.fastmail.com" rel="noreferrer"

                    target="_blank">http://www.fastmail.com</a> - Access

                  your email from home and the web<br>

                  <br>

                  _______________________________________________<br>

                  keycloak-user mailing list<br>

                  <a moz-do-not-send="true"

                    href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>

                  <a moz-do-not-send="true"

                    href="https://lists.jboss.org/mailman/listinfo/keycloak-user"

                    rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>

                </font></span></blockquote>

          </div>

          <br>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

keycloak-user mailing list

<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>

<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>

    </blockquote>

    <br>

  </body>

</html>