Hi, Andreas,
I second everything Benjamin says.
It’s not a good practice to store passwords in plain text, period.
Shiro.ini in particular gets checked into code repositories, and it’s not a
good place for passwords to be.
Current “good practice” is something called “zero trust” and just because the
system is behind ssh, it doesn’t mean
that a threat actor cannot hack into it some other way, and get the password.
Plain-text passwords just open up more security threats that you can possibly
think of.
> On Sep 2, 2024, at 11:38 AM, Andreas Reichel <andr...@manticore-projects.com>
> wrote:
>
> On Mon, 2024-09-02 at 18:31 +0200, Benjamin Marwell wrote:
>> Hello Andreas!
>>
>> Since current Linux and Unix distributions have environment variables
>> secured from other users nowadays, one way would be to inject them at
>> runtime via ${ENV_VARIABLE_NAME}.
>>
>> A few examples are in our documentation:
>> https://shiro.apache.org/configuration.html
>> <https://shiro.apache.org/configuration.html>
>>
>> Let us know if that works for you.
>
> You Sir are my hero!
> This works perfectly fine for the audit drones because it gets the ball back
> into the client's court:
>
> 1) if they don't want to hard code passwords of those technical user
> accounts, then provide the System properties when starting the Web
> Application (which will be so much fun)
> 2) otherwise accept that the password has to be somewhere and secure your
> server properly against unauthorised access
>
> Btw, those servers holding this shiro.ini files have SSH password only access
> with accounts like "admin/admin" 😄
> What a time to be alive.
>
> Thank you so much for prompt round turn and cheers!
> Andreas
