<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 2/18/2016 12:14 PM, Stian Thorgersen
wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAdHFL7jZegfB7uCuzyD3zrBqhDO1BgkGxDw=7S9e2mn1Q@mail.gmail.com"
type="cite">
<div dir="ltr">It's security vs usability as usual. Allowing
passing the password directly is convenient for developers, for
Docker image, for provisioning tools, etc.. So we're not going
to remove that it's required, but I do appreciate that if not
used correctly it's a potential security risk. The worst case
scenario here is really that someone gets an admins favorite
password, as someone that has access to getting the bash history
of that particular user will also be able to run the add-user
script themselves. So if the admin wants to print his favorite
password in clear text in the bash history we should not stop
him.
<div><br>
</div>
<div>It's not our responsibility to clear the bash history, so
we should not do that either. <br>
</div>
</div>
</blockquote>
If there is a way to stop that one command from being saved in the
bash history then we should do it. <br>
<br>
At the very least, we should print a warning message to let the
administrator know he has done something that is potentially
insecure.<br>
<br>
<blockquote
cite="mid:CAJgngAdHFL7jZegfB7uCuzyD3zrBqhDO1BgkGxDw=7S9e2mn1Q@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 18 February 2016 at 16:53, Bruno
Oliveira <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">It's about balance. I'm not arguing here
against it, I just don't see how it could strengthen
security. Nothing will stop people to get their own gun
and automate it with stdin :)</div>
<div class="HOEnZb">
<div class="h5"><br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Feb 18, 2016 at 12:45 PM Stan
Silvert <<a moz-do-not-send="true"
href="mailto:ssilvert@redhat.com" target="_blank">ssilvert@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>On 2/18/2016 9:29 AM, Bruno Oliveira wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I can be wrong, but this is not
only our responsibility. For example, on Linux
you are prompted for the password with passwd,
but at the same time you could circumvent this
using: echo 12345678 | sudo passwd admin
--stdin.
<div><br>
</div>
<div>In this scenario security auditors won't
blame the OS for this, but pretty much
sysadmins and bad security practices.
Anyways, whatever people think is the best,
I'm fine.</div>
</div>
</blockquote>
</div>
<div text="#000000" bgcolor="#FFFFFF"> I agree with
you there. In that case you are doing something
extra to shoot yourself in the foot. We can't
guard against that.<br>
<br>
We just shouldn't put the gun in your hand.</div>
<div text="#000000" bgcolor="#FFFFFF"><br>
<blockquote type="cite"><br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Feb 18, 2016 at 12:18
PM Stan Silvert <<a
moz-do-not-send="true"
href="mailto:ssilvert@redhat.com"
target="_blank">ssilvert@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>On 2/18/2016 9:10 AM, Bruno Oliveira
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I think the Jira created
by Stian pretty much fixes the
problem. Nope?</div>
</blockquote>
</div>
<div text="#000000" bgcolor="#FFFFFF">
Stian's JIRA says that if it is not
specified on the command line then do the
prompt. But if we still allow setting it
from the command line then the password
can still be saved to the log in plain
text. Security auditors will always frown
on that.<br>
<br>
So I'm saying we should either disallow
setting on the command line or somehow
disable saving to the log. We shouldn't
rely on an administrator to do the right
thing.</div>
<div text="#000000" bgcolor="#FFFFFF"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Something like:</div>
<div><br>
</div>
<div>./add-user-keycloak.sh -u user</div>
<div>Password: ******</div>
<div><br>
</div>
<div>Or </div>
<div><br>
</div>
<div>./add-user-keycloak-sh</div>
<div>Username: joe</div>
<div>Password: ******</div>
<div><br>
</div>
<div>If this can't fix the issue, is
also possible to disable
bash_history temporarily. But I
wouldn't take this route, because
this is pretty much system
administration responsibility.</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, Feb 18, 2016 at
11:47 AM Stan Silvert <<a
moz-do-not-send="true"
href="mailto:ssilvert@redhat.com"
target="_blank">ssilvert@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF">
<div>On 2/18/2016 2:15 AM, Stian
Thorgersen wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
17 February 2016 at 17:09,
Aikeaguinea <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px 0px
0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">It
seems the add-user.sh
script for changing the
admin password only<br>
accepts the password as
a -p command-line
parameter. This would
expose<br>
the password in the
command history, so I'd
prefer not to use the<br>
command in its current
form.<br>
</blockquote>
<div><br>
</div>
<div>That's a mistake
we'll fix that. If not
specified it should
prompt for it. Added <a
moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-2501" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2501</a></div>
</div>
</div>
</div>
</blockquote>
</div>
<div text="#000000"
bgcolor="#FFFFFF"> After attending
several security talks the last
couple of days, I've become rather
sensitized to this kind of issue.
I feel quite strongly that we
should never allow the password to
be written to history in plain
text. I'm also afraid it could
cause us to flunk government
certifications.<br>
<br>
On Windows, this really isn't a
problem because command history is
not saved. After a CMD session
ends, the history is lost (unless
you install some third-party
tool).<br>
<br>
Perhaps there is a way to
temporarily disable logging of
command history in the
add-user-keycloak.sh?</div>
<div text="#000000"
bgcolor="#FFFFFF"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote
class="gmail_quote"
style="margin:0px 0px
0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
Is there another way to
do this?<br>
<br>
The situation is even
more complicated with
Docker, since running
the<br>
script to change the
Wildfly admin password
requires restarting the<br>
server, which shuts down
the container. If you
have an autoscaling<br>
group, the container
that gets brought up is
not the container where
you<br>
changed the password,
but instead the original
container. This seems to<br>
mean that the only way
to have Keycloak run in
Dockers in an
autoscaling<br>
group is to bake the
admin passwords into the
Docker image beforehand.<br>
This isn't ideal; less
so if the only way to
add those passwords
during<br>
build time is to run the
shell script that
exposes the password on
the<br>
command line.<br>
</blockquote>
<div><br>
</div>
<div>You need to set the
password once for your
database. This can be
done prior to accessing
the admin console the
first time. Take a look
at <a
moz-do-not-send="true"
href="https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md"
target="_blank">https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md</a>,
you can use docker exec
to do this.</div>
<div> </div>
<blockquote
class="gmail_quote"
style="margin:0px 0px
0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span><font
color="#888888"><br>
--<br>
<a
moz-do-not-send="true"
href="http://www.fastmail.com" rel="noreferrer" target="_blank">http://www.fastmail.com</a>
- Access your email
from home and the
web<br>
<br>
_______________________________________________<br>
keycloak-user
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a
moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer"
target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>