Clarification on plain text password
16 views
Skip to first unread message
md md
Nov 1, 2017, 2:56:50 PM11/1/17
to Search Guard Community Forum
In the elasticsearch.yml file, we have the node certificate and its password like below
searchguard.ssl.http.keystore_filepath: generated-certificates/CN=127.0.0.1-keystore.jks
searchguard.ssl.http.keystore_password: asdsadasdsad
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: asdsadasdasdIf any user gains access to this configuration file , will he able to connect to elastic search as a client by passing the node certificate jks file and password ?
Is there any provision to have these password encrypted in the config file ?
SG
Nov 1, 2017, 3:22:04 PM11/1/17
to search...@googlegroups.com
If one gets a node certificate and the keystore password it can be possible to boot a node and connect to the cluster and get the data.
So the node certificates and the password need to be kept secure (for example leveraging unix file permissions). To avoid plaintext passwords in config files you can
use environment variables to mitigate this.
But luckily there is one additional TLS feature which can help here: hostname validation
If this is enabled (which is the default) a attacker have to assign the hostname of the certificate to the hostile machine which is hard in a corporate network because you normally need access to the DNS server
to do this.
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/978d3ffd-5107-42d6-9fa3-4c47f9f5fbd7%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
So the node certificates and the password need to be kept secure (for example leveraging unix file permissions). To avoid plaintext passwords in config files you can
use environment variables to mitigate this.
But luckily there is one additional TLS feature which can help here: hostname validation
If this is enabled (which is the default) a attacker have to assign the hostname of the certificate to the hostile machine which is hard in a corporate network because you normally need access to the DNS server
to do this.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/978d3ffd-5107-42d6-9fa3-4c47f9f5fbd7%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
md md
Nov 4, 2017, 2:00:14 AM11/4/17
to Search Guard Community Forum
Thanks for the information
Reply all
Reply to author
Forward
0 new messages