glassfish
  1. glassfish
  2. GLASSFISH-16401

[UB]Security Guide information about password aliases for AS_ADMIN_PASSWORD is incorrect

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1
    • Fix Version/s: 3.1.1
    • Component/s: docs
    • Labels:
      None

      Description

      The Security Guide information about using a password alias for AS_ADMIN_PASSWORD in the password file that is passed to asadmin is incorrect. See here:

      http://download.oracle.com/docs/cd/E18930_01/html/821-2435/ghgrp.html#ghgpu

      Specifically, step 5 under "To Create a Password Alias"

      If this was allowed, then anyone who knows the name of the alias would be able to execute commands on the server without knowing the password.

      The correct way to obscure the admin user password for running remote commands is to use the "asadmin login" command, which obfuscates the password and stores it in the .asadminpass file.

        Activity

        Hide
        kevinmcd added a comment -

        I removed the line "In the password file, for example, passwords.txt, add the following line: AS_ADMIN_PASSWORD=$

        {ALIAS=admin-password-alias}

        , where admin-password-alias is the new password alias." from the doc.

        However, I need some additional information. Is it that the documented steps won't work/aren't allowed, as opposed to being a bad thing to recommend?

        Show
        kevinmcd added a comment - I removed the line "In the password file, for example, passwords.txt, add the following line: AS_ADMIN_PASSWORD=$ {ALIAS=admin-password-alias} , where admin-password-alias is the new password alias." from the doc. However, I need some additional information. Is it that the documented steps won't work/aren't allowed, as opposed to being a bad thing to recommend?
        Hide
        Tom Mueller added a comment -

        The specific problem with step 5-7 is that it WILL NOT WORK for the admin password (AS_ADMIN_PASSWORD). It will also not work for the master password (AS_ADMIN_MASTERPASSWORD). However, it will work for other passwords. This example, in steps 6 and 7, is trying to start a domain that requires a password using a password alias. As stated in the description, the recommended way to do this is to use the "asadmin login" command. Since this section is about creating a password alias, it doesn't make sense to have an example about using the asadmin login command here.

        To provide an example for using a password alias in the password file that is passed to asadmin, it would be better to base the example on the create-file-user command and the AS_ADMIN_USERPASSWORD variable. For example, if one wanted to create several users, all with the same password, one could do the following:

        Steps 1-4 are the same.

        5. Add the alias to a password file.
        In the password file, for example, passwords.txt, add the following line: AS_ADMIN_USERPASSWORD=$

        {ALIAS=user-password-alias}

        , where user-password-alias is the new password alias.

        6. Run the create-file-user command using the file.

        asadmin --passwordfile passwords.txt create-file-user user1

        Show
        Tom Mueller added a comment - The specific problem with step 5-7 is that it WILL NOT WORK for the admin password (AS_ADMIN_PASSWORD). It will also not work for the master password (AS_ADMIN_MASTERPASSWORD). However, it will work for other passwords. This example, in steps 6 and 7, is trying to start a domain that requires a password using a password alias. As stated in the description, the recommended way to do this is to use the "asadmin login" command. Since this section is about creating a password alias, it doesn't make sense to have an example about using the asadmin login command here. To provide an example for using a password alias in the password file that is passed to asadmin, it would be better to base the example on the create-file-user command and the AS_ADMIN_USERPASSWORD variable. For example, if one wanted to create several users, all with the same password, one could do the following: Steps 1-4 are the same. 5. Add the alias to a password file. In the password file, for example, passwords.txt, add the following line: AS_ADMIN_USERPASSWORD=$ {ALIAS=user-password-alias} , where user-password-alias is the new password alias. 6. Run the create-file-user command using the file. asadmin --passwordfile passwords.txt create-file-user user1
        Hide
        kevinmcd added a comment -

        Thanks for the additional info, Tom. It's very helpful.

        I changed the text as follows. Please let me know if it's OK.

        5. Add the alias to a password file.

        For example, assume the use of a password file such as passwords.txt. Assume further that you want to add an alias for the AS_ADMIN_USERPASSWORD entry that is read by the create-file-user(1) subcommand. You would add the following line to the password file:

        AS_ADMIN_USERPASSWORD=$

        {ALIAS=user-password-alias}

        , where user-password-alias is the new password alias.

        6. To continue the example of the previous step, you would then run the create-file-user(1) subcommand.

        You could use this method to create several users (user1, user2, and so forth), all with the same password.

        asadmin> --passwordfile passwords.txt create-file-user user1

        Show
        kevinmcd added a comment - Thanks for the additional info, Tom. It's very helpful. I changed the text as follows. Please let me know if it's OK. 5. Add the alias to a password file. For example, assume the use of a password file such as passwords.txt. Assume further that you want to add an alias for the AS_ADMIN_USERPASSWORD entry that is read by the create-file-user(1) subcommand. You would add the following line to the password file: AS_ADMIN_USERPASSWORD=$ {ALIAS=user-password-alias} , where user-password-alias is the new password alias. 6. To continue the example of the previous step, you would then run the create-file-user(1) subcommand. You could use this method to create several users (user1, user2, and so forth), all with the same password. asadmin> --passwordfile passwords.txt create-file-user user1
        Hide
        Tom Mueller added a comment -

        LGTM.

        Show
        Tom Mueller added a comment - LGTM.
        Hide
        kevinmcd added a comment -

        Closed as per OK'd change.

        Show
        kevinmcd added a comment - Closed as per OK'd change.

          People

          • Assignee:
            kevinmcd
            Reporter:
            Tom Mueller
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: