[jboss-as7-dev] How hard would it be to support key based auth by default to make life simpler and more secure ?

Pete Muir pmuir at redhat.com
Mon Nov 14 06:31:47 EST 2011 

I'm not sure it is. If AS7 came with a script that could set up a username/password with a key, and also record that key locally in the users home directory, which IDEs, maven, forge etc. can pick up, that is a 3 step operation (1 step to run the script, 1 to enter username, 1 to enter a password). We can improve on this by assuming the username is the username of the logged in user, and the key to use is their .ssh key if it exists. This then becomes a 1 step operation for Linux users, probably still 2 steps for windows users.

Stuff then "just works" from then on, and we can take advantage of all the usual goodies like Mac Keychain, or whatever the equivalent is on Linux / Windows for storing passwords and unlocking keys.

To make a locked down AS as usable for newbies as without the lockdown is quite a lot of extra work I guess for the security system, as I just don't think username/password cuts it.

And David yes, we have EAP requirements for usability :-p

On 13 Nov 2011, at 22:15, Jason Greene wrote:

> 
> 
> Sent from my iPhone
> 
> On Nov 13, 2011, at 1:09 PM, "David M. Lloyd" <david.lloyd at redhat.com> wrote:
> 
>> On 11/13/2011 12:49 PM, Max Rydahl Andersen wrote:
>>> Hi,
>>> 
>>> Been thinking about the new username/password requirements.
>>> 
>>> These will make all examples that uses maven deploy plugin, cli scripts, arquillian, jboss tools etc. to somehow
>>> either tell users to type in their username and full password in clear text in pom.xml and other files.
>>> 
>>> Which sounds worse to me than a default locked down to only localhost…but I'm not a security expert :)
>>> 
>>> I was wondering how hard it would be to make the authentication support key based auth by default and we make
>>> the tools use ${user.name} and ${user.home}/.jboss/default.pub and .priv (or some other name) for the public/private keys ?
>> 
>> You would need a key-based SASL authentication mechanism.  There are no 
>> standard ones as of right now.  If you know of a key-based SASL 
>> mechanism that you think we should support, let me know and we'll 
>> evaluate it.
> 
> We would have to do noauth + SSL + trust. I think it's an option worth considering. The big problem though is that we have to have a setup process to generate the certs, which is greater complexity than the user/pass option. We would have to generate a host key pair and a client key pair. 
> 
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev

More information about the jboss-as7-dev mailing list