Skip to content

core: prompt securely when hashing passwords#24126

Open
dominic-r wants to merge 2 commits into
mainfrom
dominic/hash-password-prompt
Open

core: prompt securely when hashing passwords#24126
dominic-r wants to merge 2 commits into
mainfrom
dominic/hash-password-prompt

Conversation

@dominic-r

Copy link
Copy Markdown
Member

Generating a password hash currently requires placing the plaintext password on the command line, where it can be retained in shell history and exposed through process inspection. When the password argument is omitted, the command now requires an interactive terminal and prompts for the password twice without echoing it.

Follow up to: #24118

@netlify

netlify Bot commented Jul 16, 2026

Copy link
Copy Markdown

Deploy Preview for authentik-integrations ready!

Name Link
🔨 Latest commit cda94e2
🔍 Latest deploy log https://app.netlify.com/projects/authentik-integrations/deploys/6a5902346d15250008d0e746
😎 Deploy Preview https://deploy-preview-24126--authentik-integrations.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify

netlify Bot commented Jul 16, 2026

Copy link
Copy Markdown

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit cda94e2
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/6a5902343e11de0008a8a1d6
😎 Deploy Preview https://deploy-preview-24126--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@codecov

codecov Bot commented Jul 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.80%. Comparing base (0c237e8) to head (f39f575).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@            Coverage Diff             @@
##             main   #24126      +/-   ##
==========================================
- Coverage   92.83%   92.80%   -0.04%     
==========================================
  Files        1056     1056              
  Lines       62751    62771      +20     
  Branches      424      424              
==========================================
- Hits        58256    58253       -3     
- Misses       4495     4518      +23     
Flag Coverage Δ
conformance 35.55% <0.00%> (-0.01%) ⬇️
e2e 40.59% <0.00%> (-0.02%) ⬇️
integration 31.53% <0.00%> (-0.49%) ⬇️
rust 0.00% <ø> (ø)
unit 92.01% <100.00%> (+<0.01%) ⬆️
unit-migrate 92.03% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

@PeshekDotDev

Copy link
Copy Markdown
Contributor

@emilburzo Last release, we added a feature to put hashed passwords in docker composes, send to api, etc instead of sending plaintext. You generate the hashed password by running docker compose run --rm server hash_password 'your-password'. This exposes the plaintext password in the bash history. My feeling is that we should never allow a user to run the command like this, and instead the command should be ran as docker compose run --rm server hash_password, and then the password is collected after, to keep bash history clean

Do you feel that it is okay for the password to be plaintext in bash history optionally, or should this never be allowed?

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-f39f575aae3dba135f2134bd0484e63cb0e8cbc5
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-f39f575aae3dba135f2134bd0484e63cb0e8cbc5

Afterwards, run the upgrade commands from the latest release notes.

@dominic-r

Copy link
Copy Markdown
Member Author

(If we remove support, we would need to include this as a breaking change in the release notes due to how it might affect existing scripts and tooling. Just adding a reminder for myself)

@emilburzo

Copy link
Copy Markdown
Member

@PeshekDotDev

agree that it's not good practice, besides bash_history, it can also appear in the running process list (albeit shortly) or logged in places like CI/CD pipelines

for human use, I think the interactive prompt is the way to go

but I assume we likely want/should also support automation? then I think supporting an environment variable and/or standard input would work -- does that make sense?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

3 participants