<div dir="ltr">I think the Jira created by Stian pretty much fixes the problem. Nope?<div><br></div><div>Something like:</div><div><br></div><div>./add-user-keycloak.sh -u user</div><div>Password: ******</div><div><br></div><div>Or </div><div><br></div><div>./add-user-keycloak-sh</div><div>Username: joe</div><div>Password: ******</div><div><br></div><div>If this can't fix the issue, is also possible to disable bash_history temporarily. But I wouldn't take this route, because this is pretty much system administration responsibility.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Feb 18, 2016 at 11:47 AM Stan Silvert <<a href="mailto:ssilvert@redhat.com">ssilvert@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
<div>On 2/18/2016 2:15 AM, Stian Thorgersen
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 17 February 2016 at 17:09,
Aikeaguinea <span dir="ltr"><<a href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">It
seems the add-user.sh script for changing the admin
password only<br>
accepts the password as a -p command-line parameter. This
would expose<br>
the password in the command history, so I'd prefer not to
use the<br>
command in its current form.<br>
</blockquote>
<div><br>
</div>
<div>That's a mistake we'll fix that. If not specified it
should prompt for it. Added <a href="https://issues.jboss.org/browse/KEYCLOAK-2501" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2501</a></div>
</div>
</div>
</div>
</blockquote></div><div text="#000000" bgcolor="#FFFFFF">
After attending several security talks the last couple of days, I've
become rather sensitized to this kind of issue. I feel quite
strongly that we should never allow the password to be written to
history in plain text. I'm also afraid it could cause us to flunk
government certifications.<br>
<br>
On Windows, this really isn't a problem because command history is
not saved. After a CMD session ends, the history is lost (unless
you install some third-party tool).<br>
<br>
Perhaps there is a way to temporarily disable logging of command
history in the add-user-keycloak.sh?</div><div text="#000000" bgcolor="#FFFFFF"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
Is there another way to do this?<br>
<br>
The situation is even more complicated with Docker, since
running the<br>
script to change the Wildfly admin password requires
restarting the<br>
server, which shuts down the container. If you have an
autoscaling<br>
group, the container that gets brought up is not the
container where you<br>
changed the password, but instead the original container.
This seems to<br>
mean that the only way to have Keycloak run in Dockers in
an autoscaling<br>
group is to bake the admin passwords into the Docker image
beforehand.<br>
This isn't ideal; less so if the only way to add those
passwords during<br>
build time is to run the shell script that exposes the
password on the<br>
command line.<br>
</blockquote>
<div><br>
</div>
<div>You need to set the password once for your database.
This can be done prior to accessing the admin console the
first time. Take a look at <a href="https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md" target="_blank">https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md</a>,
you can use docker exec to do this.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span><font color="#888888"><br>
--<br>
<a href="http://www.fastmail.com" rel="noreferrer" target="_blank">http://www.fastmail.com</a> - Access
your email from home and the web<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote></div>