Re: web-console security: use hashed passwords in brooklyn.properties

Mon, 11 Aug 2014 04:12:19 -0700 

Enthusiastic "yay!" for hashed, salted passwords :o)
Also +1 to enforcing tighter access control for the properties file at runtime. Will require a Windows equivalent, of course, but checking for *00 flags on posix systems is a great start. I expect we want "strict" behaviour only in the launcher, and that unit tests, etc, don't need to care?
As for the --stdin thing for generate-password, I must admit I'm sympathetic to the "don't do that" argument in the links you posted. If stream hacks are required only to test the generator then it's probably no biggie, but making recommendations to end-users that go against the grain of established unix security best practices gives me pause. 

A.
--
Alasdair Hodge
Principal Engineer,
Cloudsoft Corporation


On 08/08/2014 15:21, Aled Sage wrote:

Hi all,

We've just fixed "web-console authentication: store hashed passwords in
brooklyn.properties" [1,2].

Instead of storing web-console passwords in plain text in
brooklyn.properties (!), you can now run a command like:

    brooklyn generate-password --user admin


which will prompt for a password, and will generate output like:

    Please add the following to your brooklyn.properies:

    brooklyn.webconsole.security.users=admin
    brooklyn.webconsole.security.user.admin.salt=OHDf

brooklyn.webconsole.security.user.admin.sha256=91e16f94509fa8e3dd21c43d69cadfd7da6e7384051b18f168390fe378bb36f9


We strongly recommend that folk do this, and remove the plain text
passwords from brooklyn.properties.

---
We also strongly recommend ensuring brooklyn.properties has permissions
600 (i.e. read-write only by user).

Next up is adding a check that brooklyn.properties has these
permissions. If it doesn't, brooklyn will fail to start.

Any comments on that?

---
Lastly and controversially, I've included support for `brooklyn
generate-password --user admin --stdin`.

Without the `--stdin`, it will fail if there is no console. This is the
same behaviour as unix `passwd`.

There is a brilliant discussion at [3,4]. I love the quote "we get
hordes of users asking how they can circumvent 35 years of Unix
security". The `--stdin` is one approach for doing that.

It's also been suggested that we could add support for `--password` to
supply the password at the command line. I'm against that because it
would show up in `ps`, visible to all other users on the machine.

Aled

[1] https://issues.apache.org/jira/browse/BROOKLYN-15
[2] https://github.com/apache/incubator-brooklyn/pull/112
[3] http://stackoverflow.com/a/715681/1393883
[4] http://mywiki.wooledge.org/BashFAQ/078

Reply via email to