<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Another possibility is to share the
file keycloak-user.json with docker via volume. Then it's not
hardcoded into the Docker image. The entrypoint script can check
if the file shared through volume exists and copy it to
standalone/configuration in that case.<br>
<br>
Marek<br>
<br>
On 23/02/16 10:10, Stian Thorgersen wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAfpNHr5zjc3O+e5V4fQiR=MW=tPn3Fhq9nr8y3wG5FMJw@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 22 February 2016 at 16:10,
Aikeaguinea <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>With regard to Docker, things get more complicated.
I believe it's not just the bash history but the
Docker history itself that stores the commands. <br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>What about "docker exec" approach? We've fixed it in
1.9.0.Final so that it'll now prompt for a password if one
isn't specified.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div> </div>
<div>Also, per one of the messages earlier on this
chain, it is not advised to put secrets into Docker
environment variables. These are accessible in many
different ways.<br>
</div>
<div> </div>
<div><span style="color:rgb(0,0,0)"><span
style="font-family:Calibri,sans-serif"><span
style="font-size:14px">
<div>
<div><b>From: </b><<a
moz-do-not-send="true"
href="mailto:keycloak-user-bounces@lists.jboss.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user-bounces@lists.jboss.org">keycloak-user-bounces@lists.jboss.org</a></a>>
on behalf of Stan Silvert <<a
moz-do-not-send="true"
href="mailto:ssilvert@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ssilvert@redhat.com">ssilvert@redhat.com</a></a>><br>
</div>
<div><b>Date: </b>Thursday, February 18, 2016
at 12:26 PM<br>
</div>
<div><b>To: </b>"<a moz-do-not-send="true"
href="mailto:stian@redhat.com"
target="_blank">stian@redhat.com</a>" <<a
moz-do-not-send="true"
href="mailto:stian@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:stian@redhat.com">stian@redhat.com</a></a>><br>
</div>
<div><b>Cc: </b>Stian Thorgersen <<a
moz-do-not-send="true"
href="mailto:sthorger@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:sthorger@redhat.com">sthorger@redhat.com</a></a>>,
keycloak-user <<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
</div>
<span class="">
<div><b>Subject: </b>Re: [keycloak-user]
Securely setting admin passwords<br>
</div>
</span></div>
<div> </div>
<div>
<div bgcolor="#FFFFFF"><span class="">
<div>On 2/18/2016 12:14 PM, Stian
Thorgersen wrote:<br>
</div>
</span>
<blockquote type="cite">
<div dir="ltr">
<div>It's security vs usability as
usual. Allowing passing the password
directly is convenient for developers,
for Docker image, for provisioning
tools, etc.. So we're not going to
remove that it's required, but I do
appreciate that if not used correctly
it's a potential security risk. The
worst case scenario here is really
that someone gets an admins favorite
password, as someone that has access
to getting the bash history of that
particular user will also be able to
run the add-user script themselves. So
if the admin wants to print his
favorite password in clear text in the
bash history we should not stop him. <br>
</div>
<div>
<div class="h5">
<div> </div>
<div>It's not our responsibility to
clear the bash history, so we
should not do that either. <br>
</div>
</div>
</div>
</div>
</blockquote>
<div>
<div class="h5">
<div>If there is a way to stop that one
command from being saved in the bash
history then we should do it. <br>
</div>
<div> </div>
<div>At the very least, we should print
a warning message to let the
administrator know he has done
something that is potentially
insecure.<br>
</div>
<div> </div>
</div>
</div>
<blockquote type="cite">
<div class="gmail_extra">
<div> </div>
<div class="gmail_quote">
<div>
<div class="h5">
<div>On 18 February 2016 at 16:53,
Bruno Oliveira <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bruno@abstractj.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:bruno@abstractj.org">bruno@abstractj.org</a></a>></span> wrote:<br>
</div>
</div>
</div>
<blockquote class="gmail_quote">
<div>
<div class="h5">
<div dir="ltr">It's about
balance. I'm not arguing here
against it, I just don't see
how it could strengthen
security. Nothing will stop
people to get their own gun
and automate it with stdin :)<br>
</div>
</div>
</div>
<div>
<div>
<div> </div>
<div class="gmail_quote">
<div>
<div class="h5">
<div dir="ltr">On Thu, Feb
18, 2016 at 12:45 PM
Stan Silvert <<a
moz-do-not-send="true"
href="mailto:ssilvert@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ssilvert@redhat.com">ssilvert@redhat.com</a></a>>
wrote:<br>
</div>
</div>
</div>
<blockquote
class="gmail_quote">
<div>
<div class="h5">
<div bgcolor="#FFFFFF">
<div>On 2/18/2016 9:29
AM, Bruno Oliveira
wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">
<div>I can be
wrong, but this
is not only our
responsibility.
For example, on
Linux you are
prompted for the
password with
passwd, but at
the same time
you could
circumvent this
using: echo
12345678 | sudo
passwd admin
--stdin.<br>
</div>
<div> </div>
<div>In this
scenario
security
auditors won't
blame the OS for
this, but pretty
much sysadmins
and bad security
practices.
Anyways,
whatever people
think is the
best, I'm fine.<br>
</div>
</div>
</blockquote>
</div>
<div bgcolor="#FFFFFF">
<div>I agree with you
there. In that case
you are doing
something extra to
shoot yourself in
the foot. We can't
guard against that.<br>
</div>
<div> </div>
<div>We just shouldn't
put the gun in your
hand.<br>
</div>
</div>
</div>
</div>
<div bgcolor="#FFFFFF">
<div> </div>
<blockquote type="cite">
<div> </div>
<div class="gmail_quote">
<div>
<div class="h5">
<div dir="ltr">On
Thu, Feb 18,
2016 at 12:18 PM
Stan Silvert
<<a
moz-do-not-send="true"
href="mailto:ssilvert@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ssilvert@redhat.com">ssilvert@redhat.com</a></a>>
wrote:<br>
</div>
</div>
</div>
<blockquote
class="gmail_quote">
<div>
<div class="h5">
<div
bgcolor="#FFFFFF">
<div>On
2/18/2016 9:10
AM, Bruno
Oliveira
wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">I
think the Jira
created by
Stian pretty
much fixes the
problem. Nope?<br>
</div>
</blockquote>
</div>
<div
bgcolor="#FFFFFF">
<div>Stian's
JIRA says that
if it is not
specified on
the command
line then do
the prompt.
But if we
still allow
setting it
from the
command line
then the
password can
still be saved
to the log in
plain text.
Security
auditors will
always frown
on that.<br>
</div>
<div> </div>
<div>So I'm
saying we
should either
disallow
setting on the
command line
or somehow
disable saving
to the log.
We shouldn't
rely on an
administrator
to do the
right thing.<br>
</div>
</div>
</div>
</div>
<div
bgcolor="#FFFFFF">
<div> </div>
<div> </div>
<blockquote
type="cite">
<div>
<div
class="h5">
<div dir="ltr">
<div> </div>
<div>Something
like:<br>
</div>
<div> </div>
<div>./add-user-keycloak.sh
-u user<br>
</div>
<div>Password:
******<br>
</div>
<div> </div>
<div>Or <br>
</div>
<div> </div>
<div>./add-user-keycloak-sh<br>
</div>
<div>Username:
joe<br>
</div>
<div>Password:
******<br>
</div>
<div> </div>
<div>If this
can't fix the
issue, is also
possible to
disable
bash_history
temporarily.
But I wouldn't
take this
route, because
this is pretty
much system
administration
responsibility.<br>
</div>
<div> </div>
</div>
<div> </div>
</div>
</div>
<div
class="gmail_quote">
<div>
<div
class="h5">
<div dir="ltr">On
Thu, Feb 18,
2016 at 11:47
AM Stan
Silvert <<a
moz-do-not-send="true" href="mailto:ssilvert@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ssilvert@redhat.com">ssilvert@redhat.com</a></a>>
wrote:<br>
</div>
</div>
</div>
<blockquote
class="gmail_quote">
<div>
<div
class="h5">
<div
bgcolor="#FFFFFF">
<div>On
2/18/2016 2:15
AM, Stian
Thorgersen
wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">
<div> </div>
<div
class="gmail_extra">
<div> </div>
<div
class="gmail_quote">
<div>On 17
February 2016
at 17:09,
Aikeaguinea <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:aikeaguinea@xsmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a></a>></span> wrote:<br>
</div>
<blockquote
class="gmail_quote">
<div>It seems
the
add-user.sh
script for
changing the
admin password
only<br>
</div>
<div>accepts
the password
as a -p
command-line
parameter.
This would
expose<br>
</div>
<div>the
password in
the command
history, so
I'd prefer not
to use the<br>
</div>
<div>command
in its current
form.<br>
</div>
</blockquote>
<div> </div>
<div>That's a
mistake we'll
fix that. If
not specified
it should
prompt for it.
Added <a
moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-2501" target="_blank"><a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2501">https://issues.jboss.org/browse/KEYCLOAK-2501</a></a><br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div
bgcolor="#FFFFFF">
<div>After
attending
several
security talks
the last
couple of
days, I've
become rather
sensitized to
this kind of
issue. I feel
quite strongly
that we should
never allow
the password
to be written
to history in
plain text.
I'm also
afraid it
could cause us
to flunk
government
certifications.<br>
</div>
<div> </div>
<div>On
Windows, this
really isn't a
problem
because
command
history is not
saved. After
a CMD session
ends, the
history is
lost (unless
you install
some
third-party
tool).<br>
</div>
<div> </div>
<div>Perhaps
there is a way
to temporarily
disable
logging of
command
history in the
add-user-keycloak.sh?<br>
</div>
</div>
</div>
</div>
<div
bgcolor="#FFFFFF">
<div> </div>
<div> </div>
<blockquote
type="cite">
<div>
<div
class="h5">
<div dir="ltr">
<div
class="gmail_extra">
<div
class="gmail_quote">
<div> </div>
<blockquote
class="gmail_quote">
<div> </div>
<div>Is there
another way to
do this?<br>
</div>
<div> </div>
<div>The
situation is
even more
complicated
with Docker,
since running
the<br>
</div>
<div>script to
change the
Wildfly admin
password
requires
restarting the<br>
</div>
<div>server,
which shuts
down the
container. If
you have an
autoscaling<br>
</div>
<div>group,
the container
that gets
brought up is
not the
container
where you<br>
</div>
<div>changed
the password,
but instead
the original
container.
This seems to<br>
</div>
<div>mean that
the only way
to have
Keycloak run
in Dockers in
an autoscaling<br>
</div>
<div>group is
to bake the
admin
passwords into
the Docker
image
beforehand.<br>
</div>
<div>This
isn't ideal;
less so if the
only way to
add those
passwords
during<br>
</div>
<div>build
time is to run
the shell
script that
exposes the
password on
the<br>
</div>
<div>command
line.<br>
</div>
</blockquote>
<div> </div>
<div>You need
to set the
password once
for your
database. This
can be done
prior to
accessing the
admin console
the first
time. Take a
look at <a
moz-do-not-send="true"
href="https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md"
target="_blank"><a class="moz-txt-link-freetext" href="https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md">https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md</a></a>,
you can use
docker exec to
do this.<br>
</div>
<div> </div>
<blockquote
class="gmail_quote"><span
style="color:#888888"><br>
--<br>
<a
moz-do-not-send="true"
href="http://www.fastmail.com/" target="_blank"><a class="moz-txt-link-freetext" href="http://www.fastmail.com">http://www.fastmail.com</a></a> -
Access your
email from
home and the
web<br>
<br>
_______________________________________________<br>
keycloak-user
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a><br>
<a
moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></a></span></blockquote>
</div>
<div> </div>
</div>
</div>
<div> </div>
<div> </div>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user</a>
</pre>
</blockquote>
<div> </div>
</div>
<span class="">
<div>_______________________________________________<br>
</div>
<div>keycloak-user
mailing list<br>
</div>
<div><a
moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></a><br>
</div>
<div><a
moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></a><br>
</div>
</span></blockquote>
</div>
</blockquote>
<div> </div>
</div>
</blockquote>
</div>
</blockquote>
<div> </div>
</div>
</blockquote>
</div>
</div>
</div>
<span class="">
<div> </div>
<div>_______________________________________________<br>
</div>
<div>keycloak-user mailing list<br>
</div>
<div><a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
</div>
<div><a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div>
</span></blockquote>
</div>
<span class="HOEnZb"><font
color="#888888">
</font></span></div>
<span class="HOEnZb"><font color="#888888">
</font></span></blockquote>
</div>
<span class="HOEnZb"><font color="#888888">
</font></span></div>
<span class="HOEnZb"><font color="#888888">
</font></span></span></span></span></div>
<span class="HOEnZb"><font color="#888888">
<br>
<div> </div>
<pre>--
<a moz-do-not-send="true" href="http://www.fastmail.com" target="_blank">http://www.fastmail.com</a> - Choose from over 50 domains or use your own
</pre>
</font></span></div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>