<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 2/18/2016 12:26 PM, Stan Silvert
wrote:<br>
</div>
<blockquote cite="mid:56C5FEB8.7060509@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 2/18/2016 12:14 PM, Stian
Thorgersen wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAdHFL7jZegfB7uCuzyD3zrBqhDO1BgkGxDw=7S9e2mn1Q@mail.gmail.com"
type="cite">
<div dir="ltr">It's security vs usability as usual. Allowing
passing the password directly is convenient for developers,
for Docker image, for provisioning tools, etc.. So we're not
going to remove that it's required, but I do appreciate that
if not used correctly it's a potential security risk. The
worst case scenario here is really that someone gets an admins
favorite password, as someone that has access to getting the
bash history of that particular user will also be able to run
the add-user script themselves. </div>
</blockquote>
</blockquote>
BTW, the problem is not necessarily that someone broke in to the
system in question. They might have obtained the history from an
offline backup or some other static reference.<br>
<blockquote cite="mid:56C5FEB8.7060509@redhat.com" type="cite">
<blockquote
cite="mid:CAJgngAdHFL7jZegfB7uCuzyD3zrBqhDO1BgkGxDw=7S9e2mn1Q@mail.gmail.com"
type="cite">
<div dir="ltr">So if the admin wants to print his favorite
password in clear text in the bash history we should not stop
him.
<div><br>
</div>
<div>It's not our responsibility to clear the bash history, so
we should not do that either. <br>
</div>
</div>
</blockquote>
If there is a way to stop that one command from being saved in the
bash history then we should do it. <br>
<br>
At the very least, we should print a warning message to let the
administrator know he has done something that is potentially
insecure.<br>
<br>
<blockquote
cite="mid:CAJgngAdHFL7jZegfB7uCuzyD3zrBqhDO1BgkGxDw=7S9e2mn1Q@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 18 February 2016 at 16:53, Bruno
Oliveira <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">It's about balance. I'm not arguing here
against it, I just don't see how it could strengthen
security. Nothing will stop people to get their own gun
and automate it with stdin :)</div>
<div class="HOEnZb">
<div class="h5"><br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Feb 18, 2016 at 12:45 PM Stan
Silvert <<a moz-do-not-send="true"
href="mailto:ssilvert@redhat.com"
target="_blank">ssilvert@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>On 2/18/2016 9:29 AM, Bruno Oliveira wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I can be wrong, but this is not
only our responsibility. For example, on
Linux you are prompted for the password with
passwd, but at the same time you could
circumvent this using: echo 12345678 | sudo
passwd admin --stdin.
<div><br>
</div>
<div>In this scenario security auditors
won't blame the OS for this, but pretty
much sysadmins and bad security practices.
Anyways, whatever people think is the
best, I'm fine.</div>
</div>
</blockquote>
</div>
<div text="#000000" bgcolor="#FFFFFF"> I agree
with you there. In that case you are doing
something extra to shoot yourself in the foot.
We can't guard against that.<br>
<br>
We just shouldn't put the gun in your hand.</div>
<div text="#000000" bgcolor="#FFFFFF"><br>
<blockquote type="cite"><br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Feb 18, 2016 at 12:18
PM Stan Silvert <<a
moz-do-not-send="true"
href="mailto:ssilvert@redhat.com"
target="_blank">ssilvert@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>On 2/18/2016 9:10 AM, Bruno
Oliveira wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I think the Jira
created by Stian pretty much fixes
the problem. Nope?</div>
</blockquote>
</div>
<div text="#000000" bgcolor="#FFFFFF">
Stian's JIRA says that if it is not
specified on the command line then do
the prompt. But if we still allow
setting it from the command line then
the password can still be saved to the
log in plain text. Security auditors
will always frown on that.<br>
<br>
So I'm saying we should either disallow
setting on the command line or somehow
disable saving to the log. We shouldn't
rely on an administrator to do the right
thing.</div>
<div text="#000000" bgcolor="#FFFFFF"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Something like:</div>
<div><br>
</div>
<div>./add-user-keycloak.sh -u user</div>
<div>Password: ******</div>
<div><br>
</div>
<div>Or </div>
<div><br>
</div>
<div>./add-user-keycloak-sh</div>
<div>Username: joe</div>
<div>Password: ******</div>
<div><br>
</div>
<div>If this can't fix the issue, is
also possible to disable
bash_history temporarily. But I
wouldn't take this route, because
this is pretty much system
administration responsibility.</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Feb 18, 2016
at 11:47 AM Stan Silvert <<a
moz-do-not-send="true"
href="mailto:ssilvert@redhat.com"
target="_blank">ssilvert@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF">
<div>On 2/18/2016 2:15 AM, Stian
Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
17 February 2016 at
17:09, Aikeaguinea <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px 0px
0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">It
seems the add-user.sh
script for changing
the admin password
only<br>
accepts the password
as a -p command-line
parameter. This would
expose<br>
the password in the
command history, so
I'd prefer not to use
the<br>
command in its current
form.<br>
</blockquote>
<div><br>
</div>
<div>That's a mistake
we'll fix that. If not
specified it should
prompt for it. Added <a
moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-2501"
target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2501</a></div>
</div>
</div>
</div>
</blockquote>
</div>
<div text="#000000"
bgcolor="#FFFFFF"> After
attending several security talks
the last couple of days, I've
become rather sensitized to this
kind of issue. I feel quite
strongly that we should never
allow the password to be written
to history in plain text. I'm
also afraid it could cause us to
flunk government certifications.<br>
<br>
On Windows, this really isn't a
problem because command history
is not saved. After a CMD
session ends, the history is
lost (unless you install some
third-party tool).<br>
<br>
Perhaps there is a way to
temporarily disable logging of
command history in the
add-user-keycloak.sh?</div>
<div text="#000000"
bgcolor="#FFFFFF"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote
class="gmail_quote"
style="margin:0px 0px
0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
Is there another way
to do this?<br>
<br>
The situation is even
more complicated with
Docker, since running
the<br>
script to change the
Wildfly admin password
requires restarting
the<br>
server, which shuts
down the container. If
you have an
autoscaling<br>
group, the container
that gets brought up
is not the container
where you<br>
changed the password,
but instead the
original container.
This seems to<br>
mean that the only way
to have Keycloak run
in Dockers in an
autoscaling<br>
group is to bake the
admin passwords into
the Docker image
beforehand.<br>
This isn't ideal; less
so if the only way to
add those passwords
during<br>
build time is to run
the shell script that
exposes the password
on the<br>
command line.<br>
</blockquote>
<div><br>
</div>
<div>You need to set the
password once for your
database. This can be
done prior to
accessing the admin
console the first
time. Take a look at <a
moz-do-not-send="true"
href="https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md"
target="_blank">https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md</a>,
you can use docker
exec to do this.</div>
<div> </div>
<blockquote
class="gmail_quote"
style="margin:0px 0px
0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span><font
color="#888888"><br>
--<br>
<a
moz-do-not-send="true"
href="http://www.fastmail.com" rel="noreferrer" target="_blank">http://www.fastmail.com</a>
- Access your
email from home
and the web<br>
<br>
_______________________________________________<br>
keycloak-user
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a
moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer"
target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>