Hi @<1687643893996195840:profile|RoundCat60>
anyone with access to the server
Is that a thing? If you have access to the server Not sure how "protected" you are even if using a key ring...
(unfortunately I do not think we support anything else, but what did you have in mind?
Hi @<1687643893996195840:profile|RoundCat60> ,
Passwords should be encrypted before being stored
That's definitely an option (we had the same idea), however it would mean a more complex configuration procedure and might male it hard for less-savvy people to setup the server. Considering the fact that anyone with access to the server can basically access all data anyway, as @<1523701205467926528:profile|AgitatedDove14> said, having the passwords for the account encrypted won't make or break you protection 🙂 .
BTW - if you're using AWS EC2, you can easily use the AWS Secrets Manager to store this information.
Thanks. Where is the configuration stored on the server? Currently we have deployed an EC2 instance using the marketplace AMI - if this demo is successful we would be looking at splitting the environment into the different AWS services - logging to S3, use of secrets manager, elasticsearch, redis, mongoDB etc
I've looked through the documentation, but didn't initially spot anything that would help with doing this (granted I may have overlooked something)
Some ideas, not all directly related to this:
- Passwords should be encrypted before being stored
- A mechanism on the server application to add/remove users, avoiding having to SSH on to the server would be nice
- Some level of permissions in the application would be nice - Admin/Owner/Viewer restrictions which would dictate would users can do and give finer control
The configuration can be provided using a configuration file (like apiserver.conf or services.conf ), or provided to the server as an environment variable (every configuration setting can be set using an environment variable in the form TRAINS__<path__to__configuration__setting>=<configuration value, base type of HOCON configuration format> )
I’m interested to understand how we can use secrets manager for password storage. Do you have any documentation on this?
Ah ok, so you don’t support secrets manager per se, you’re suggesting we build our own auth system using it?
We’d be using https in production
Nice 🙂
@<1687653458951278592:profile|StrangeStork48> , I was reading this thread trying to understand what exactly is the security concern/fear here, and I'm not sure I fully understand. Any chance you can elaborate ?
Hi @<1687653458951278592:profile|StrangeStork48>
secrets manager per se,
Quick question, are you running the trains-server over http or https ?
This seems to me quite a fundamental security issue. Do you have a roadmap which includes resolving things like this?
Assuming it was hashed, the seed would be stored on the same server, so knowing both would allow me the same access, no?
Quick question, are you running the trains-server over http or https ?
We’d be using https in production
The concern is that user’s passwords are stored in plain text.
Do you have a roadmap which includes resolving things like this
Security SSO etc. is usually out of scope for the open-source platform as it really makes the entire thing a lot harder to install and manage. That said I know that on the Enterprise solution they do have SSO and LDAP support and probably way more security features. I hope it helps 🙂
Hi @<1687653458951278592:profile|StrangeStork48>
- Agreed,
- Notice this user/pass is only used for the initial authentication, after that all authentication is done via a signed JWT tokenHow about a GitHub issue with the feature request, if there is enough interest (or someone jumps in offering implementation) we can push it forward. What do you think?
If you can reverse the hash you’re doing it wrong. A hashed password should be of no use to anyone, that’s the whole point. The application should only ever compare the hashed values of a password. This is basic application security.
Hi @<1687653458951278592:profile|StrangeStork48>
I have good news, v1.0 is out with hashed passwords support.
this would not solve the issue of server admins knowing everybody’s passwords would it?
For example TRAINS__APISERVER__AUTH__FIXED_USERS={"enabled": true, "users": [{"username": "foo", "name": "Foo", "password": "bar"}]}
- Set hashed passwords withÂ
pass_hashed: true - Generate passwords usingÂ
python3 -c 'import bcrypt,base64; print(base64.b64encode(bcrypt.hashpw("password".encode(), bcrypt.gensalt())))'Â (obviously, replace "password" with the actual password). The resulting b64 string should be placed in the password field for each user.
For example, assuming your password is "123456": - bash:
> python3 -c 'import bcrypt,base64; print(base64.b64encode(bcrypt.hashpw("123456".encode(), bcrypt.gensalt())))'
b'JDJiJDEyJDk3OHBFcHFlNEsxTkFoZDlPcGZsbC5sU1pmM3huZ1RpeHc0ay5WUjlzTzN5WE1WRXJrUmhp'
- InÂ
apiserver.conf :
# A list of fixed users
fixed_users {
enabled: true
pass_hashed: true
users: [
{
username: "john"
password: "JDJiJDEyJDk3OHBFcHFlNEsxTkFoZDlPcGZsbC5sU1pmM3huZ1RpeHc0ay5WUjlzTzN5WE1WRXJrUmhp"
name: "john doe"
}
]
}
Hi @<1687653458951278592:profile|StrangeStork48> , the easiest way is to read Amazon's AWS docs regarding the Secrets Manager. Once you manage to use that, you can simply "inject" any values you require into config files or environment variables.