rabbitmqctl support for pre-hashed user passwords #9170
Replies: 2 comments
-
|
Thank you for putting together a detailed proposal. First of all, it is extremely common for all kinds of tools to accept passwords via standard input as one of the options. It is a natural and human-friendly way. Not every design decision is driven by security. For when you need to generate user accounts, there are already at least two options available:
The latter does not require contacting a running cluster node. That's particularly attractive in the case of tools like Puppet, Chef, Salt. |
Beta Was this translation helpful? Give feedback.
-
|
I'm spiking support for hash passwords to The code paths around adding users and updating them are some of the oldest there are, so we'll see. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Is your feature request related to a problem? Please describe.
The
rabbitmqctlsubcommandsadd_userandchange_passwordcan accept passwords either from the commandline arguments or from STDIN if the argument is omitted from the commandline. For the purposes of automation like Puppet, Checf, Cloud-Init and even Dockerfiles, both of the options are problematic.Commandline
It is considered best practice NOT to pass secrets to commands/programs from the commandline. The commandline arguments of programs can often be seen by all users of a system and therfore secrets passed as part of a commandline may be visible to all users. Additionally commandline arguments may be logged or stored in histories and are generally not treated as secret data.
There are ways to mitigate these risks but it would probably be better to just to bypass the problem (or at least give users a way to bypass it).
STDIN
In a lot of ways STDIN is better but isn't without flaws. Generally it would be harder for an unpriviledged user to gain access to the STDIN of another user's command/program but it still leaves the question of how to get the password into STDIN in the first place. In automation this often leads to things like
echo $PASSWORD | somecommand. In this example the argument ofecho(THE PASSWORD) is still on the commandline.Describe the solution you'd like
rabbitmqctluser related sub commands likeadd_userandchange_passwordshould be able to accept pre-hashed passwords.Add a switch to the
add_userandchange_passwordrabbitqmctlsubcommands to allow them to accept pre-hashed passwords.Examples
Note: Here I use the switch
-Zas a placeholder as I do not have a strong opinion about the exact switch to use.-hseems logical if you don't mind that-his sometimes used for "help" also. But there is certainly plenty of precedent for using-hfor other things. See: openldap-tools for example.-his "host".Check Password
Additionally it would be nice to be able to check that a user's password matches a provided hash. This way configuration management tools like Puppet, Chef and so on, could determine if a user's password hash needs to be updated.
One might be tempted to use the
authenticate_usersubcommand but I think that might be misleading. We're not trying to authenticate a user, just check that their password hash equals a certain value, as such I think it warrants a separate subcommand.Proposed
check_passwordsubcommandcheck_passwordshould read a hash from STDIN or from the command line and then check that hash against the provided users's password hash and report the result via its exit statusExit Status
The exit status should unambiguously indicate the result of the check.
Proposed Values
Note: I'm not married to these values, if
rabbitmqctlalready uses these values for other meanings then it might make sense to use other values. Additionally there might be other scenarios worth addressing like 'user not found' (though that could just be "other")rabbitmqctl clear_password)Describe alternatives you've considered
No response
Additional context
No response
Beta Was this translation helpful? Give feedback.
All reactions