<div dir="ltr">It&#39;s about balance. I&#39;m not arguing here against it, I just don&#39;t see how it could strengthen security. Nothing will stop people to get their own gun and automate it with stdin :)</div><br><div class="gmail_quote"><div dir="ltr">On Thu, Feb 18, 2016 at 12:45 PM Stan Silvert &lt;<a href="mailto:ssilvert@redhat.com">ssilvert@redhat.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
    <div>On 2/18/2016 9:29 AM, Bruno Oliveira
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">I can be wrong, but this is not only our
        responsibility. For example, on Linux you are prompted for the
        password with passwd, but at the same time you could circumvent
        this using: echo 12345678 | sudo passwd admin --stdin.
        <div><br>
        </div>
        <div>In this scenario security auditors won&#39;t blame the OS for
          this, but pretty much sysadmins and bad security practices.
          Anyways, whatever people think is the best, I&#39;m fine.</div>
      </div>
    </blockquote></div><div text="#000000" bgcolor="#FFFFFF">
    I agree with you there.  In that case you are doing something extra
    to shoot yourself in the foot.  We can&#39;t guard against that.<br>
    <br>
    We just shouldn&#39;t put the gun in your hand.</div><div text="#000000" bgcolor="#FFFFFF"><br>
    <blockquote type="cite"><br>
      <div class="gmail_quote">
        <div dir="ltr">On Thu, Feb 18, 2016 at 12:18 PM Stan Silvert
          &lt;<a href="mailto:ssilvert@redhat.com" target="_blank">ssilvert@redhat.com</a>&gt;
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div text="#000000" bgcolor="#FFFFFF">
            <div>On 2/18/2016 9:10 AM, Bruno Oliveira wrote:<br>
            </div>
            <blockquote type="cite">
              <div dir="ltr">I think the Jira created by Stian pretty
                much fixes the problem. Nope?</div>
            </blockquote>
          </div>
          <div text="#000000" bgcolor="#FFFFFF"> Stian&#39;s JIRA says that
            if it is not specified on the command line then do the
            prompt.  But if we still allow setting it from the command
            line then the password can still be saved to the log in
            plain text.  Security auditors will always frown on that.<br>
            <br>
            So I&#39;m saying we should either disallow setting on the
            command line or somehow disable saving to the log.  We
            shouldn&#39;t rely on an administrator to do the right thing.</div>
          <div text="#000000" bgcolor="#FFFFFF"><br>
            <br>
            <blockquote type="cite">
              <div dir="ltr">
                <div><br>
                </div>
                <div>Something like:</div>
                <div><br>
                </div>
                <div>./add-user-keycloak.sh -u user</div>
                <div>Password: ******</div>
                <div><br>
                </div>
                <div>Or </div>
                <div><br>
                </div>
                <div>./add-user-keycloak-sh</div>
                <div>Username: joe</div>
                <div>Password: ******</div>
                <div><br>
                </div>
                <div>If this can&#39;t fix the issue, is also possible to
                  disable bash_history temporarily. But I wouldn&#39;t take
                  this route, because this is pretty much system
                  administration responsibility.</div>
                <div><br>
                </div>
              </div>
              <br>
              <div class="gmail_quote">
                <div dir="ltr">On Thu, Feb 18, 2016 at 11:47 AM Stan
                  Silvert &lt;<a href="mailto:ssilvert@redhat.com" target="_blank">ssilvert@redhat.com</a>&gt;

                  wrote:<br>
                </div>
                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  <div text="#000000" bgcolor="#FFFFFF">
                    <div>On 2/18/2016 2:15 AM, Stian Thorgersen wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <div dir="ltr"><br>
                        <div class="gmail_extra"><br>
                          <div class="gmail_quote">On 17 February 2016
                            at 17:09, Aikeaguinea <span dir="ltr">&lt;<a href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a>&gt;</span>
                            wrote:<br>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">It


                              seems the add-user.sh  script for changing
                              the admin password only<br>
                              accepts the password as a -p command-line
                              parameter. This would expose<br>
                              the password in the command history, so
                              I&#39;d prefer not to use the<br>
                              command in its current form.<br>
                            </blockquote>
                            <div><br>
                            </div>
                            <div>That&#39;s a mistake we&#39;ll fix that. If not
                              specified it should prompt for it. Added <a href="https://issues.jboss.org/browse/KEYCLOAK-2501" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2501</a></div>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                  <div text="#000000" bgcolor="#FFFFFF"> After attending
                    several security talks the last couple of days, I&#39;ve
                    become rather sensitized to this kind of issue.  I
                    feel quite strongly that we should never allow the
                    password to be written to history in plain text.  
                    I&#39;m also afraid it could cause us to flunk
                    government certifications.<br>
                    <br>
                    On Windows, this really isn&#39;t a problem because
                    command history is not saved.  After a CMD session
                    ends, the history is lost (unless you install some
                    third-party tool).<br>
                    <br>
                    Perhaps there is a way to temporarily disable
                    logging of command history in the
                    add-user-keycloak.sh?</div>
                  <div text="#000000" bgcolor="#FFFFFF"><br>
                    <br>
                    <blockquote type="cite">
                      <div dir="ltr">
                        <div class="gmail_extra">
                          <div class="gmail_quote">
                            <div> </div>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
                              Is there another way to do this?<br>
                              <br>
                              The situation is even more complicated
                              with Docker, since running the<br>
                              script to change the Wildfly admin
                              password requires restarting the<br>
                              server, which shuts down the container. If
                              you have an autoscaling<br>
                              group, the container that gets brought up
                              is not the container where you<br>
                              changed the password, but instead the
                              original container. This seems to<br>
                              mean that the only way to have Keycloak
                              run in Dockers in an autoscaling<br>
                              group is to bake the admin passwords into
                              the Docker image beforehand.<br>
                              This isn&#39;t ideal; less so if the only way
                              to add those passwords during<br>
                              build time is to run the shell script that
                              exposes the password on the<br>
                              command line.<br>
                            </blockquote>
                            <div><br>
                            </div>
                            <div>You need to set the password once for
                              your database. This can be done prior to
                              accessing the admin console the first
                              time. Take a look at <a href="https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md" target="_blank">https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md</a>,
                              you can use docker exec to do this.</div>
                            <div> </div>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span><font color="#888888"><br>
                                  --<br>
                                  <a href="http://www.fastmail.com" rel="noreferrer" target="_blank">http://www.fastmail.com</a>
                                  - Access your email from home and the
                                  web<br>
                                  <br>
_______________________________________________<br>
                                  keycloak-user mailing list<br>
                                  <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
                                  <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
                                </font></span></blockquote>
                          </div>
                          <br>
                        </div>
                      </div>
                      <br>
                      <fieldset></fieldset>
                      <br>
                      <pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
                    </blockquote>
                    <br>
                  </div>
                  _______________________________________________<br>
                  keycloak-user mailing list<br>
                  <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
                  <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
              </div>
            </blockquote>
            <br>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <br>
  </div></blockquote></div>