<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I'm too lazy to read this entire thread, sorry if somebody already
suggested this, but can't you<br>
<br>
1) Create a minimal realm in your local environment and export the
realm to json.<br>
2) Import this json in your Docker script?<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 2/22/2016 10:10 AM, Aikeaguinea
wrote:<br>
</div>
<blockquote
cite="mid:1456153831.1343667.528300426.5376354D@webmail.messagingengine.com"
type="cite">
<title></title>
<div>With regard to Docker, things get more complicated. I believe
it's not just the bash history but the Docker history itself
that stores the commands. <br>
</div>
<div> </div>
<div>Also, per one of the messages earlier on this chain, it is
not advised to put secrets into Docker environment variables.
These are accessible in many different ways.<br>
</div>
<div> </div>
<div><span class="colour" style="color:rgb(0, 0, 0)"><span
class="font" style="font-family:Calibri, sans-serif"><span
class="size" style="font-size:14px">
<div>
<div><b>From: </b><<a moz-do-not-send="true"
href="mailto:keycloak-user-bounces@lists.jboss.org">keycloak-user-bounces@lists.jboss.org</a>>
on behalf of Stan Silvert <<a
moz-do-not-send="true"
href="mailto:ssilvert@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:ssilvert@redhat.com">ssilvert@redhat.com</a></a>><br>
</div>
<div><b>Date: </b>Thursday, February 18, 2016 at 12:26
PM<br>
</div>
<div><b>To: </b>"<a moz-do-not-send="true"
href="mailto:stian@redhat.com">stian@redhat.com</a>"
<<a moz-do-not-send="true"
href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
</div>
<div><b>Cc: </b>Stian Thorgersen <<a
moz-do-not-send="true"
href="mailto:sthorger@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:sthorger@redhat.com">sthorger@redhat.com</a></a>>,
keycloak-user <<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
</div>
<div><b>Subject: </b>Re: [keycloak-user] Securely
setting admin passwords<br>
</div>
</div>
<div> </div>
<div>
<div defang_text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 2/18/2016 12:14 PM,
Stian Thorgersen wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAdHFL7jZegfB7uCuzyD3zrBqhDO1BgkGxDw=7S9e2mn1Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>It's security vs usability as usual. Allowing
passing the password directly is convenient for
developers, for Docker image, for provisioning
tools, etc.. So we're not going to remove that
it's required, but I do appreciate that if not
used correctly it's a potential security risk.
The worst case scenario here is really that
someone gets an admins favorite password, as
someone that has access to getting the bash
history of that particular user will also be
able to run the add-user script themselves. So
if the admin wants to print his favorite
password in clear text in the bash history we
should not stop him. <br>
</div>
<div> </div>
<div>It's not our responsibility to clear the bash
history, so we should not do that either. <br>
</div>
</div>
</blockquote>
<div>If there is a way to stop that one command from
being saved in the bash history then we should do
it. <br>
</div>
<div> </div>
<div>At the very least, we should print a warning
message to let the administrator know he has done
something that is potentially insecure.<br>
</div>
<div> </div>
<blockquote
cite="mid:CAJgngAdHFL7jZegfB7uCuzyD3zrBqhDO1BgkGxDw=7S9e2mn1Q@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div> </div>
<div class="gmail_quote">
<div>On 18 February 2016 at 16:53, Bruno
Oliveira <span dir="ltr"><<a
moz-do-not-send="true"
defang_moz-do-not-send="true"
href="mailto:bruno@abstractj.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:bruno@abstractj.org">bruno@abstractj.org</a></a>></span> wrote:<br>
</div>
<blockquote class="gmail_quote">
<div dir="ltr">It's about balance. I'm not
arguing here against it, I just don't see
how it could strengthen security. Nothing
will stop people to get their own gun and
automate it with stdin :)<br>
</div>
<div class="HOEnZb">
<div class="h5">
<div> </div>
<div class="gmail_quote">
<div dir="ltr">On Thu, Feb 18, 2016 at
12:45 PM Stan Silvert <<a
moz-do-not-send="true"
defang_moz-do-not-send="true"
href="mailto:ssilvert@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ssilvert@redhat.com">ssilvert@redhat.com</a></a>>
wrote:<br>
</div>
<blockquote class="gmail_quote">
<div defang_text="#000000"
bgcolor="#FFFFFF">
<div>On 2/18/2016 9:29 AM, Bruno
Oliveira wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>I can be wrong, but this is
not only our responsibility.
For example, on Linux you are
prompted for the password with
passwd, but at the same time
you could circumvent this
using: echo 12345678 | sudo
passwd admin --stdin.<br>
</div>
<div> </div>
<div>In this scenario security
auditors won't blame the OS
for this, but pretty much
sysadmins and bad security
practices. Anyways, whatever
people think is the best, I'm
fine.<br>
</div>
</div>
</blockquote>
</div>
<div defang_text="#000000"
bgcolor="#FFFFFF">
<div>I agree with you there. In
that case you are doing something
extra to shoot yourself in the
foot. We can't guard against
that.<br>
</div>
<div> </div>
<div>We just shouldn't put the gun
in your hand.<br>
</div>
</div>
<div defang_text="#000000"
bgcolor="#FFFFFF">
<div> </div>
<blockquote type="cite">
<div> </div>
<div class="gmail_quote">
<div dir="ltr">On Thu, Feb 18,
2016 at 12:18 PM Stan Silvert
<<a moz-do-not-send="true"
defang_moz-do-not-send="true" href="mailto:ssilvert@redhat.com"
target="_blank">ssilvert@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote">
<div defang_text="#000000"
bgcolor="#FFFFFF">
<div>On 2/18/2016 9:10 AM,
Bruno Oliveira wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I think the
Jira created by Stian
pretty much fixes the
problem. Nope?<br>
</div>
</blockquote>
</div>
<div defang_text="#000000"
bgcolor="#FFFFFF">
<div>Stian's JIRA says that
if it is not specified on
the command line then do
the prompt. But if we
still allow setting it
from the command line then
the password can still be
saved to the log in plain
text. Security auditors
will always frown on that.<br>
</div>
<div> </div>
<div>So I'm saying we should
either disallow setting on
the command line or
somehow disable saving to
the log. We shouldn't
rely on an administrator
to do the right thing.<br>
</div>
</div>
<div defang_text="#000000"
bgcolor="#FFFFFF">
<div> </div>
<div> </div>
<blockquote type="cite">
<div dir="ltr">
<div> </div>
<div>Something like:<br>
</div>
<div> </div>
<div>./add-user-keycloak.sh
-u user<br>
</div>
<div>Password: ******<br>
</div>
<div> </div>
<div>Or <br>
</div>
<div> </div>
<div>./add-user-keycloak-sh<br>
</div>
<div>Username: joe<br>
</div>
<div>Password: ******<br>
</div>
<div> </div>
<div>If this can't fix
the issue, is also
possible to disable
bash_history
temporarily. But I
wouldn't take this
route, because this is
pretty much system
administration
responsibility.<br>
</div>
<div> </div>
</div>
<div> </div>
<div class="gmail_quote">
<div dir="ltr">On Thu,
Feb 18, 2016 at 11:47
AM Stan Silvert <<a
moz-do-not-send="true" defang_moz-do-not-send="true"
href="mailto:ssilvert@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ssilvert@redhat.com">ssilvert@redhat.com</a></a>>
wrote:<br>
</div>
<blockquote
class="gmail_quote">
<div
defang_text="#000000"
bgcolor="#FFFFFF">
<div>On 2/18/2016
2:15 AM, Stian
Thorgersen wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">
<div> </div>
<div
class="gmail_extra">
<div> </div>
<div
class="gmail_quote">
<div>On 17
February 2016
at 17:09,
Aikeaguinea <span
dir="ltr"><<a
moz-do-not-send="true" defang_moz-do-not-send="true"
href="mailto:aikeaguinea@xsmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a></a>></span> wrote:<br>
</div>
<blockquote
class="gmail_quote">
<div>It seems
the
add-user.sh
script for
changing the
admin password
only<br>
</div>
<div>accepts
the password
as a -p
command-line
parameter.
This would
expose<br>
</div>
<div>the
password in
the command
history, so
I'd prefer not
to use the<br>
</div>
<div>command
in its current
form.<br>
</div>
</blockquote>
<div> </div>
<div>That's a
mistake we'll
fix that. If
not specified
it should
prompt for it.
Added <a
moz-do-not-send="true"
defang_moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-2501"
target="_blank"><a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2501">https://issues.jboss.org/browse/KEYCLOAK-2501</a></a><br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div
defang_text="#000000"
bgcolor="#FFFFFF">
<div>After attending
several security
talks the last
couple of days,
I've become rather
sensitized to this
kind of issue. I
feel quite
strongly that we
should never allow
the password to be
written to history
in plain text.
I'm also afraid it
could cause us to
flunk government
certifications.<br>
</div>
<div> </div>
<div>On Windows,
this really isn't
a problem because
command history is
not saved. After
a CMD session
ends, the history
is lost (unless
you install some
third-party tool).<br>
</div>
<div> </div>
<div>Perhaps there
is a way to
temporarily
disable logging of
command history in
the
add-user-keycloak.sh?<br>
</div>
</div>
<div
defang_text="#000000"
bgcolor="#FFFFFF">
<div> </div>
<div> </div>
<blockquote
type="cite">
<div dir="ltr">
<div
class="gmail_extra">
<div
class="gmail_quote">
<div> </div>
<blockquote
class="gmail_quote">
<div> </div>
<div>Is there
another way to
do this?<br>
</div>
<div> </div>
<div>The
situation is
even more
complicated
with Docker,
since running
the<br>
</div>
<div>script to
change the
Wildfly admin
password
requires
restarting the<br>
</div>
<div>server,
which shuts
down the
container. If
you have an
autoscaling<br>
</div>
<div>group,
the container
that gets
brought up is
not the
container
where you<br>
</div>
<div>changed
the password,
but instead
the original
container.
This seems to<br>
</div>
<div>mean that
the only way
to have
Keycloak run
in Dockers in
an autoscaling<br>
</div>
<div>group is
to bake the
admin
passwords into
the Docker
image
beforehand.<br>
</div>
<div>This
isn't ideal;
less so if the
only way to
add those
passwords
during<br>
</div>
<div>build
time is to run
the shell
script that
exposes the
password on
the<br>
</div>
<div>command
line.<br>
</div>
</blockquote>
<div> </div>
<div>You need
to set the
password once
for your
database. This
can be done
prior to
accessing the
admin console
the first
time. Take a
look at <a
moz-do-not-send="true"
defang_moz-do-not-send="true"
href="https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md"
target="_blank"><a class="moz-txt-link-freetext" href="https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md">https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md</a></a>,
you can use
docker exec to
do this.<br>
</div>
<div> </div>
<blockquote
class="gmail_quote"><span
class="colour"
style="color:#888888"><br>
--<br>
<a
moz-do-not-send="true"
defang_moz-do-not-send="true" href="http://www.fastmail.com/"
defang_rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="http://www.fastmail.com">http://www.fastmail.com</a></a> - Access your email from
home and the
web<br>
<br>
_______________________________________________<br>
keycloak-user
mailing list<br>
<a
moz-do-not-send="true"
defang_moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a><br>
<a
moz-do-not-send="true"
defang_moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
defang_rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></a></span></blockquote>
</div>
<div> </div>
</div>
</div>
<div> </div>
<div> </div>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" defang_moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user</a>
</pre>
</blockquote>
<div> </div>
</div>
<div>_______________________________________________<br>
</div>
<div>keycloak-user
mailing list<br>
</div>
<div><a
moz-do-not-send="true"
defang_moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a><br>
</div>
<div><a
moz-do-not-send="true"
defang_moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
defang_rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></a><br>
</div>
</blockquote>
</div>
</blockquote>
<div> </div>
</div>
</blockquote>
</div>
</blockquote>
<div> </div>
</div>
</blockquote>
</div>
</div>
</div>
<div> </div>
<div>_______________________________________________<br>
</div>
<div>keycloak-user mailing list<br>
</div>
<div><a moz-do-not-send="true"
defang_moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
</div>
<div><a moz-do-not-send="true"
defang_moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
defang_rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</span></span></span></div>
<br>
<div> </div>
<pre>--
<a class="moz-txt-link-freetext" href="http://www.fastmail.com">http://www.fastmail.com</a> - Choose from over 50 domains or use your own
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>