Setting password when creating users in sg_internal_users.yml

[Xiaoyu Wu]

ES 6.2.2 with corresponding SG

I am wondering how to set the password for the users I created in sg_internal_users.yml. I noticed that there is no place to set the password for the demo users.

#password is: logstash

logstash:

  hash: .....

  roles:

    - logstash

Can I just simply add one more line "password: ........" under the username structure.

And for the demo user like logstash, is it possible for me to change the default password in this config file like adding "password: ....."

[Jochen Kressin]

This is because you do not want to have cleartext passwords anywhere in your configuration files. You have to generate a hash of the password you want to use with the hash.sh script that ships with Search Guard. Please refer to the docs on how to use it:

https://docs.search-guard.com/latest/internal-users-database

[Xiaoyu Wu]

So do you mean that I can only edit the clear text password after I set up the hash password and everything in the config?

I just want to edit the password of admin and I successfully removed the "reserved" flag but it still threw some internal server error when I actually clicked the submit.  

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bc311d4-f049-4981-bd08-fa52ee45c861%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jochen Kressin]

No, I mean that the sg_internusers.yml file cannot contain clear text passwords for security reasons. You do not want to use cleartext passwords, this is insecure. Instead of using a clear text password, create the hash of the password with the hash.sh tool and then enter it in sg_internusers.yml via the "hash" key. This is described in the documentation that I posted before.

On Monday, April 16, 2018 at 11:08:19 AM UTC-7, Xiaoyu Wu wrote:

So do you mean that I can only edit the clear text password after I set up the hash password and everything in the config?

I just want to edit the password of admin and I successfully removed the "reserved" flag but it still threw some internal server error when I actually clicked the submit.  

On Mon, Apr 16, 2018, 1:59 PM Jochen Kressin <jkre...@floragunn.com> wrote:

This is because you do not want to have cleartext passwords anywhere in your configuration files. You have to generate a hash of the password you want to use with the hash.sh script that ships with Search Guard. Please refer to the docs on how to use it:

https://docs.search-guard.com/latest/internal-users-database

On Sunday, April 15, 2018 at 8:48:30 PM UTC-7, Xiaoyu Wu wrote:

ES 6.2.2 with corresponding SG

I am wondering how to set the password for the users I created in sg_internal_users.yml. I noticed that there is no place to set the password for the demo users.

#password is: logstash

logstash:

  hash: .....

  roles:

    - logstash

Can I just simply add one more line "password: ........" under the username structure.

And for the demo user like logstash, is it possible for me to change the default password in this config file like adding "password: ....."

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

[Xiaoyu Wu]

Yes, I understood that. But when we login the page, we do not enter the hash key. What we did is to enter the clear text key. So which place is for creating the password for login?

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bbbe8ed-8955-4290-8418-e1e179236596%40googlegroups.com.

[Xiaoyu Wu]

My current user is not admin and I tried to change the password for admin.

On Apr 16, 2018, at 2:13 PM, Jochen Kressin <jkre...@floragunn.com> wrote:

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bbbe8ed-8955-4290-8418-e1e179236596%40googlegroups.com.

[Jochen Kressin]

Of course you enter the cleartext password on the login page, not the hash. Sorry, but you need to understand how password hashing works in general, this is a basic security concept that applies for nearly all systems. You never store any password in cleartext anywhere, you just store that hash of the password. When a user provides the cleartext password upon login, it is also hashed, and then compared with the already stored hashed password. Hence, the place to enter the password for any user is sg_internalusers.yml, and you need to enter the hashed password here.

Some further reading about password hashing:

https://www.wired.com/2016/06/hacker-lexicon-password-hashing/

[Jochen Kressin]

This seems to be a bug in the last version of the plugin. Can you please try to change the admin user definition in internalusers.yml from:

admin:

  readonly: true

  hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG

  roles:

    - admin

  attributes:

    #no dots allowed in attribute names

    attribute1: value1

    attribute2: value2

    attribute3: value3

to:

admin:

  hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG

  roles:

    - admin

(Remove the "attributes" section and the readonly flag, and set your own password hash).

After that use sgadmin to upload the changed configuration.

It seems the Kibana plugin does not support the new "attibutes" key yet. This key was introduced only lately.

Please let me know if this fixes your problem.

[Xiaoyu Wu]

Thank you so much. After removing the attributes, the problem has been solved!

在 2018年4月16日星期一 UTC-4下午3:23:21，Jochen Kressin写道：

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bc311d4-f049-4981-bd08-fa52ee45c861%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

[Xiaoyu Wu]

Hi,

I have a new problem. You mentioned that I could create a new hash password for admin and apply the new configuration.

I did put a new hash password generated by hash.sh and when I tried to log in kibana, I found the default password "admin" did not work for user "admin". So I am not sure how to log in the kibana GUI?

在 2018年4月16日星期一 UTC-4下午3:23:21，Jochen Kressin写道：

This seems to be a bug in the last version of the plugin. Can you please try to change the admin user definition in internalusers.yml from:

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9bc311d4-f049-4981-bd08-fa52ee45c861%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.