Masking password for kibana basic authentication login
34 views
Skip to first unread message
ihjaz Mohamed
Aug 1, 2018, 10:27:00 AM8/1/18
to Search Guard Community Forum
* Search Guard and Elasticsearch version
SearchGuard 6 - 6.2.2-21
Search-guard-kibana-plugin-6.2.2-10
Elasticsearch & Kibana - 6.2.2
* Installed and used enterprise modules, if any
none
* JVM version and operating system version
OpenJDK Runtime Environment (build 1.8.0_161-b14)
OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)
Red Hat Enterprise Linux Server release 7.4 (Maipo)
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any
Hi,
Following is the http request being send from search guard for login. Here the username and password are sent as JSON in body of a POST method and can be seen by anyone sniffing the http request.
Is there a way to mask/hide the username and password? Is there any setting to send password in headers?
┌───────────────────────────────────────────────────────────────────────────
│ 192.168.10.39 ──http─► 192.168.10.51
├───────────────────────────────────────────────────────────────────────────
│POST /app/kibana/api/v1/auth/login HTTP/1.1
│Host: host10dot51c.server36.lab
│User-agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
│
│Accept: application/json, text/plain, */*
│Accept-Language: en-US,en;q=0.9
│Accept-Encoding: gzip, deflate, br
│Cookie: JSESSIONID=0000ApvHwDtXcCbc2O0KUhKo_8H:-1
│Connection: keep-alive
│Origin: https://host10dot51c.server36.lab
│Content-Type: application/json;charset=UTF-8
│Content-Length: 50
│
│{
│ "password" : "Password1",
│ "username" : "kibanaadmin"
│} 
erik clark
Aug 1, 2018, 10:33:36 AM8/1/18
to search...@googlegroups.com
Why are you using HTTP with searchguard? The whole point of searchguard is to enable https between kibana, elasticsearch.
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d5af9282-a6f5-4311-9373-3638f0b5069f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jochen Kressin
Aug 1, 2018, 10:44:25 AM8/1/18
to Search Guard Community Forum
Sending passwords in headers instead of the POST body does not help if you are using HTTP instead of HTTPS. With unencrypted connections everything can be sniffed, including headers. Using HTTP here is basically the same as using HTTP in online banking: Insecure ;)
So I agree, you need to use HTTPS everywhere, means:
Browser -> Kibana -> Elasticsearch
That's the only to avoid usernames and passwords being sniffed.
Reply all
Reply to author
Forward
0 new messages