[keycloak-dev] Reset admin password
Stian Thorgersen
stian at redhat.com
Tue May 26 02:53:14 EDT 2015
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 22 May, 2015 9:17:42 PM
> Subject: Re: [keycloak-dev] Reset admin password
>
>
>
> On 5/22/2015 12:22 PM, Marek Posolda wrote:
> > On 22.5.2015 17:39, Stan Silvert wrote:
> >> On 5/22/2015 11:25 AM, Marek Posolda wrote:
> >>> On 22.5.2015 14:56, Stian Thorgersen wrote:
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Stan Silvert" <ssilvert at redhat.com>
> >>>>> To: keycloak-dev at lists.jboss.org
> >>>>> Sent: Friday, 22 May, 2015 2:46:59 PM
> >>>>> Subject: [keycloak-dev] Reset admin password
> >>>>>
> >>>>> We need a way to reset the admin password in case it is lost or
> >>>>> hijacked. The proposal is to do that through an operation on the
> >>>>> keycloak-server-subsystem that only runs in "offline CLI" mode.
> >>>>>
> >>>>> First, we currently allow you to delete the admin user. Should we
> >>>>> disallow that and make the master admin user permanent?
> >>>> Interesting question - quick answer, not sure!
> >>>>
> >>>> There are all sorts of things that can be deleted that'll currently
> >>>> screw things up royally! For example deleting admin related roles
> >>>> and clients. Created https://issues.jboss.org/browse/KEYCLOAK-1340
> >>>> for this.
> >>> Similar issue pointed some time ago by Petr Mensik from QA team: if
> >>> you change SSO session max lifespan timeout for example to 1 second,
> >>> you are immediately logged out from admin console and you're not able
> >>> to login again (More accurately you are able to login, but you're
> >>> logged out immediately due to session timeout).
> >>>
> >>> There are likely bunch of similar things and not sure if we can
> >>> handle all of them. Question is if these are not just "theoretic"
> >>> issues? I can't remember any user complain on ML that he accidentally
> >>> broke his keycloak DB by delete/configure something strange in admin
> >>> console.
> >>>
> >>> Marek
> >> I think we need to clean these up. You should never be able to do
> >> anything from the UI that renders your system inoperable. It's only
> >> a matter of time before some big customer has a disaster because we
> >> let him do something really stupid.
> > Probably yes. However people can possibly fix it by edit DB directly or
> > recover their DB (assuming big customer will do DB backup).
> >
> > But I agree, we can always be a bit resistent against those issues. And
> > hopefully CLI could help as well to recover from those. I've created
> > https://issues.jboss.org/browse/KEYCLOAK-1341 for 1-second timeout issue.
> >
>
> There's actually better ways to accomplish this:
> a) credential reset via email
> b) credential reset via SMS
> c) credential reset via "what is your mother's maiden name"
> d) one or more of the above.
We already have a and b, but those require email and sms to be configured. By the way have you seen http://googleonlinesecurity.blogspot.no/2015/05/new-research-some-tough-questions-for.html - apparently security questions are rubbish ;)
>
> As Marek said, worst case workaround is to write the database record
> directly. This whole talk of adding a reset password to CLI makes me
> very nervous as then our security is only as good as Wildfly's CLI security.
It's a pretty tough job to reset a password by writing directly to the db, especially as the password needs to be hashed.
IMO we just need to make sure the user is local to the box for these operations. Only accessible in offline + locale use of cli.
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list