core: prompt securely when hashing passwords#24126
Conversation
✅ Deploy Preview for authentik-integrations ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #24126 +/- ##
==========================================
- Coverage 92.83% 92.80% -0.04%
==========================================
Files 1056 1056
Lines 62751 62771 +20
Branches 424 424
==========================================
- Hits 58256 58253 -3
- Misses 4495 4518 +23
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. |
|
@emilburzo Last release, we added a feature to put hashed passwords in docker composes, send to api, etc instead of sending plaintext. You generate the hashed password by running Do you feel that it is okay for the password to be plaintext in bash history optionally, or should this never be allowed? |
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-f39f575aae3dba135f2134bd0484e63cb0e8cbc5
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-f39f575aae3dba135f2134bd0484e63cb0e8cbc5Afterwards, run the upgrade commands from the latest release notes. |
|
(If we remove support, we would need to include this as a breaking change in the release notes due to how it might affect existing scripts and tooling. Just adding a reminder for myself) |
|
agree that it's not good practice, besides for human use, I think the interactive prompt is the way to go but I assume we likely want/should also support automation? then I think supporting an environment variable and/or standard input would work -- does that make sense? |
Generating a password hash currently requires placing the plaintext password on the command line, where it can be retained in shell history and exposed through process inspection. When the password argument is omitted, the command now requires an interactive terminal and prompts for the password twice without echoing it.
Follow up to: #24118