[keycloak-user] Securely setting admin passwords

Aikeaguinea aikeaguinea at xsmail.com
Tue Feb 23 09:24:42 EST 2016 

I'd be happy with KEYCLOAK-2501 (accepting the password on the command
line). Then the docker exec approach wouldn't expose the password; this
is essentially the approach I started with before I ran into the issue
with the -p switch. (It would be equally desirable to have the same
change for add-user --container for the Wildfly password; should I open
a JIRA with Wildfly about this, or would the implementation of
KEYCLOAK-2501 require the corresponding modification in Wildfly anyway?)

Mounting the file via volume was something we looked into. We're setting
things up in Amazon's Elastic Container Service, which uses autoscaling
groups to bring up new instances automatically (though we don't think
we'll really need that aspect of it all that much). My recollection is
that the setup involved didn't seem worth the trouble because our Docker
image is in a secure repository anyway. If we have to store the file
someplace, might as well just copy it into the container and keep it in
the image; at least that was the thinking. For people who put their
images on a public registry this wouldn't be a good solution.


From: <keycloak-user-bounces at lists.jboss.org> on behalf of Marek Posolda
<mposolda at redhat.com>
Date: Tuesday, February 23, 2016 at 4:37 AM
To: "stian at redhat.com" <stian at redhat.com>, Aikeaguinea
<aikeaguinea at xsmail.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Securely setting admin passwords

Another possibility is to share the file keycloak-user.json with docker
via volume. Then it's not hardcoded into the Docker image. The
entrypoint script can check if the file shared through volume exists and
copy it to standalone/configuration in that case.

Marek

On 23/02/16 10:10, Stian Thorgersen wrote:


On 22 February 2016 at 16:10, Aikeaguinea <aikeaguinea at xsmail.com>
wrote:
With regard to Docker, things get more complicated. I believe it's not
just the bash history but the Docker history itself that stores the
commands. 

What about "docker exec" approach? We've fixed it in 1.9.0.Final so that
it'll now prompt for a password if one isn't specified.
 
 
Also, per one of the messages earlier on this chain, it is not advised
to put secrets into Docker environment variables. These are accessible
in many different ways.
 
From: <keycloak-user-bounces at lists.jboss.org> on behalf of Stan Silvert
<ssilvert at redhat.com>
Date: Thursday, February 18, 2016 at 12:26 PM
To: "stian at redhat.com" <stian at redhat.com>
Cc: Stian Thorgersen <sthorger at redhat.com>, keycloak-user
<keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Securely setting admin passwords
 
On 2/18/2016 12:14 PM, Stian Thorgersen wrote:
It's security vs usability as usual. Allowing passing the password
directly is convenient for developers, for Docker image, for
provisioning tools, etc.. So we're not going to remove that it's
required, but I do appreciate that if not used correctly it's a
potential security risk. The worst case scenario here is really that
someone gets an admins favorite password, as someone that has access to
getting the bash history of that particular user will also be able to
run the add-user script themselves. So if the admin wants to print his
favorite password in clear text in the bash history we should not stop
him. 
 
It's not our responsibility to clear the bash history, so we should not
do that either. 
If there is a way to stop that one command from being saved in the bash
history then we should do it.  
 
At the very least, we should print a warning message to let the
administrator know he has done something that is potentially insecure.
 
 
On 18 February 2016 at 16:53, Bruno Oliveira <bruno at abstractj.org>
wrote:
It's about balance. I'm not arguing here against it, I just don't see
how it could strengthen security. Nothing will stop people to get their
own gun and automate it with stdin :)
 
On Thu, Feb 18, 2016 at 12:45 PM Stan Silvert <ssilvert at redhat.com>
wrote:
On 2/18/2016 9:29 AM, Bruno Oliveira wrote:
I can be wrong, but this is not only our responsibility. For example, on
Linux you are prompted for the password with passwd, but at the same
time you could circumvent this using: echo 12345678 | sudo passwd admin
--stdin.
 
In this scenario security auditors won't blame the OS for this, but
pretty much sysadmins and bad security practices. Anyways, whatever
people think is the best, I'm fine.
I agree with you there.  In that case you are doing something extra to
shoot yourself in the foot.  We can't guard against that.
 
We just shouldn't put the gun in your hand.
 
 
On Thu, Feb 18, 2016 at 12:18 PM Stan Silvert <ssilvert at redhat.com>
wrote:
On 2/18/2016 9:10 AM, Bruno Oliveira wrote:
I think the Jira created by Stian pretty much fixes the problem. Nope?
Stian's JIRA says that if it is not specified on the command line then
do the prompt.  But if we still allow setting it from the command line
then the password can still be saved to the log in plain text.  Security
auditors will always frown on that.
 
So I'm saying we should either disallow setting on the command line or
somehow disable saving to the log.  We shouldn't rely on an
administrator to do the right thing.
 
 
 
Something like:
 
./add-user-keycloak.sh -u user
Password: ******
 
Or 
 
./add-user-keycloak-sh
Username: joe
Password: ******
 
If this can't fix the issue, is also possible to disable bash_history
temporarily. But I wouldn't take this route, because this is pretty much
system administration responsibility.
 
 
On Thu, Feb 18, 2016 at 11:47 AM Stan Silvert <ssilvert at redhat.com>
wrote:
On 2/18/2016 2:15 AM, Stian Thorgersen wrote:
 
 
On 17 February 2016 at 17:09, Aikeaguinea <aikeaguinea at xsmail.com>
wrote:
It seems the add-user.sh  script for changing the admin password only
accepts the password as a -p command-line parameter. This would expose
the password in the command history, so I'd prefer not to use the
command in its current form.
 
That's a mistake we'll fix that. If not specified it should prompt for
it. Added https://issues.jboss.org/browse/KEYCLOAK-2501
After attending several security talks the last couple of days, I've
become rather sensitized to this kind of issue.  I feel quite strongly
that we should never allow the password to be written to history in
plain text.   I'm also afraid it could cause us to flunk government
certifications.
 
On Windows, this really isn't a problem because command history is not
saved.  After a CMD session ends, the history is lost (unless you
install some third-party tool).
 
Perhaps there is a way to temporarily disable logging of command history
in the add-user-keycloak.sh?
 
 
 
 
Is there another way to do this?
 
The situation is even more complicated with Docker, since running the
script to change the Wildfly admin password requires restarting the
server, which shuts down the container. If you have an autoscaling
group, the container that gets brought up is not the container where you
changed the password, but instead the original container. This seems to
mean that the only way to have Keycloak run in Dockers in an autoscaling
group is to bake the admin passwords into the Docker image beforehand.
This isn't ideal; less so if the only way to add those passwords during
build time is to run the shell script that exposes the password on the
command line.
 
You need to set the password once for your database. This can be done
prior to accessing the admin console the first time. Take a look at
https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md,
you can use docker exec to do this.
 

-- 
http://www.fastmail.com - Faster than the air-speed velocity of an
                          unladen european swallow

More information about the keycloak-user mailing list