badfish accepts secrets as command line arguments

[stephane-chazelas]

badfish currently takes secrets via command line arguments.

That includes the argument to the -p, --new-password, --old-password options at least (-p being a required option).

On most systems, command line arguments are public information and expected to be. They show in the output of ps or equivalent, end up in shell history files or audit logs (often forwarded to other systems), etc.

Passing secrets on the command line is very poor security practice.

AFAICT, badfish currently doesn't provide any safe alternative way to pass authentication credentials.

Safer and relatively portable ways to pass credentials include environment variables (like sshpass -e, openssl's -pass env:var), files (like the -pass file:path of openssl things like .netrc or curl/mysql conf files) or file descriptors (such as stdin or openssl's -pass fd:n), env vars being the easiest.

As a work around, for now, one can redefine badfish as:

#! /path/to/badfish-venv/bin/python3 --
import sys, os
from badfish.main import main
sys.argv += ['-u', os.getenv('BADFISH_USER'), '-p', os.getenv('BADFISH_PASSWORD')]
sys.exit(main())

But it would be much better if badfish itself provided with better ways to pass credentials and make it clear that -p (and other options that take secrets) is unsafe and should not be used.

[sadsfae]

We'll discuss this. Badfish shouldn't be used on untrusted systems or public systems where you think someone would be snooping in bash history or otherwise do malicious activity. Having at the least a configuration file to source variables and awareness of when -p is passed to hide the value would indeed be an improvement.

Passing secrets on the command line is very poor security practice.

Yes and no, but mostly yes. ipmitool for example allows this but it also provides an interactive prompt for password and the ability to specify a configuration file. I think those are good improvements.

[sadsfae]

@stephane-chazelas I've tested this and it works, just needs to be reviewed and merged:

• export BADFISH_USERNAME and BADFISH_PASSWORD as env variables.

https://github.com/redhat-performance/badfish/pull/516/changes#diff-80bef20e268134e7da28716af73215db1e3a4428ba6c29870a9e6a6f1a05bb60

https://github.com/redhat-performance/badfish/pull/516/changes#diff-a3c24f80e6186bef25540b30aef7bcb2d295640495635c42ed3d7691a2b9231d

[stephane-chazelas]

Thanks, I see one can use the BADFISH_USER and BADFISH_PASSWORD env vars to pass authentication credentials safely, but there doesn't seem to be a safe alternative to --old-password OLD_PASSWORD and --new-password NEW_PASSWORD.

38cc4e0 which was taking care of that seems to have been reverted in 3de528b

[sadsfae]

Thanks, I see one can use the BADFISH_USER and BADFISH_PASSWORD env vars to pass authentication credentials safely, but there doesn't seem to be a safe alternative to --old-password OLD_PASSWORD and --new-password NEW_PASSWORD.

38cc4e0 which was taking care of that seems to have been reverted in 3de528b

Hey @stephane-chazelas we left that out of this implementation. The frequency at which this command-set would likely occur didn't necessitate including it in the patch, which is focused on general auth.

If you find in your usage it's used a lot feel free to send us a patch for it or I can discuss with @grafuls about adding it in a follow-up pull request later. We had to move onto other work that falls into more frequent usage category for now. Having focus on general auth supported by environment variables was more immediately usable and universal.

[sadsfae]

@stephane-chazelas I've opened another issue to track this: #521