CAS 5.2 Password Variable

[Kevin Liu]

Does anyone know how to reference the login page password in cas.properties? I know for username, you use %s but what about the password?

[Kevin Liu]

I'd like to do this because this ways, I won't have bindCredentials in cleartext.

[Man H]

What would be the problem to have it cleartext in server.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d18e508b-f92f-4cf9-bc2f-9125f629b0a0%40apereo.org.

[Kevin Liu]

Should the server be compromised, attackers can grab AD credentials and then verify all accounts with compromised credentials.

My solution to this is to not have clear text (seems genius right? ;) ). According to one of CAS's blogs, https://apereo.github.io/2017/03/24/cas51-ldapauthnjasypt-tutorial/, jasypt is the method to use.

On Wednesday, February 28, 2018 at 3:02:15 PM UTC-6, Manfredo Hopp wrote:

What would be the problem to have it cleartext in server.

2018-02-28 17:02 GMT-03:00 Kevin Liu <annih...@gmail.com>:

I'd like to do this because this ways, I won't have bindCredentials in cleartext.

On Tuesday, February 27, 2018 at 11:29:22 AM UTC-6, Kevin Liu wrote:

Does anyone know how to reference the login page password in cas.properties? I know for username, you use %s but what about the password?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[Man H]

How should the server be compromised.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/96125d4a-859f-44b9-a8c9-028a625fccc1%40apereo.org.

[Kevin Liu]

I guess the easiest would be physical access. There are other various intrusion methods too.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/96125d4a-859f-44b9-a8c9-028a625fccc1%40apereo.org.

[Man H]

How do you get to password

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c8eb47aa-de90-43ed-9361-26d47463d3f3%40apereo.org.

[David Curry]

Note that Jasypt is just a wrapper around Java's symmetric encryption algorithms.

Yeah, you've encrypted the passwords in the cas.properties file, but the Jasypt key to decrypt them has to exist in plaintext in the startup script (systemd service file, /etc/init.d script, etc.) for the server (unless you want to enter it by hand whenever the system reboots)... so all you've really accomplished is moving the plaintext from one file to another.

Plus Jasypt seems to be kind of dead (it hasn't been updated since 2014 and doesn't work with some of Java's newer crypto algorithms).

If you're really concerned about it, you probably want to look at storing your configuration info in a heavily-fortified Spring Cloud Configuration server somewhere. But unless you're already drinking the Spring Cloud Kool-Aid in your organization and have such a framework rolled out, that's a WHOLE LOT of work for very little gain.

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c8eb47aa-de90-43ed-9361-26d47463d3f3%40apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mid8NjDAemJtkDdaJzGF-VLpf%2Bg806oVP_XXMV%2B5YdCy4w%40mail.gmail.com.

[Kevin Liu]

Password of what? The server or the AD credentials? I'm assuming you're refering to the server which if you have physical access, you can boot using GRUB and mount the filesystem bypassing any password. Then it's just a matter of looking up AD/LDAP credentials.

David, thank you for pointing that out. I was wondering about that cause the password has to exist somewhere on the server. I'll have to check with my security team to see what would make them happy then. I know in previous iterations, they used a jbvault to store credentials. I'd rather not go down that route though. 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c8eb47aa-de90-43ed-9361-26d47463d3f3%40apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---

You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/6DMI8chlzJo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mid8NjDAemJtkDdaJzGF-VLpf%2Bg806oVP_XXMV%2B5YdCy4w%40mail.gmail.com.

[Ray Bon]

There is https://github.com/apereo/cas-configserver-overlay which we have deployed. It reads our config from a local git repo. In the repo the credentials are encrypted. The config server decrypts them before sending to CAS.

But there is still a password for access to the config server.

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[Man H]

Lets see what the security people say!

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mid8NjDAemJtkDdaJzGF-VLpf%2Bg806oVP_XXMV%2B5YdCy4w%40mail.gmail.com.

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519855580.1801.54.camel%40uvic.ca.

[Kevin Liu]

Not much of a follow up, but my security team just announced they have their own method of hardening the system later on so it looks like I won't have to worry about the cleartext issue. Thank you everyone!

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1519855580.1801.54.camel%40uvic.ca.

[Kevin Liu]

That said though, it would still be great if there was a variable to pass in the password and if there is one, I'd like to know.