Redis Security - Multiple passwords

[Kashyap Mhaisekar]

Hi,

Had some questions on the redis security-

1. Is it possible to have multiple passwords on the Redis Cache? Also, can the passwords be stored elsewhere and referred to in the redis.conf instead of typing the password in "requirepass" just like how users and passwords are managed in DB?

2. Finally, unless I set the "CONFIG SET REQUIREPASS <<...>>" using redis-cli.sh, the entry made in redis.conf has no effect. Am i doing something wrong?

Thanks

Kashyap

[Josiah Carlson]

Replies inline.

On Thu, Aug 6, 2015 at 8:47 AM, Kashyap Mhaisekar <kash...@gmail.com> wrote:

Hi,

Had some questions on the redis security-

1. Is it possible to have multiple passwords on the Redis Cache? Also, can the passwords be stored elsewhere and referred to in the redis.conf instead of typing the password in "requirepass" just like how users and passwords are managed in DB?

It is not currently possible to offer multiple passwords. There was a discussion in redis-dev several months ago that talked about adding support for usernames/passwords, and even potential for external verification via services like LDAP, but that thread hasn't been updated in a long time, and I am unsure as to its status in Github or otherwise.

2. Finally, unless I set the "CONFIG SET REQUIREPASS <<...>>" using redis-cli.sh, the entry made in redis.conf has no effect. Am i doing something wrong?

The configuration file is only read on startup. Changing the config after startup will do nothing to the currently running Redis process, just like it generally has no effect on any other software. Redis may have the ability to reload the config file on receiving SIGHUP, but I haven't checked the Redis signal handlers.

 - Josiah

Thanks

Kashyap

--
You received this message because you are subscribed to the Google Groups "Redis DB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
To post to this group, send email to redi...@googlegroups.com.
Visit this group at http://groups.google.com/group/redis-db.
For more options, visit https://groups.google.com/d/optout.

[Kashyap Mhaisekar]

Thanks Josiah. Probably moving redis servers behind a firewall is a better alternative to securing the servers as against going down the AUTH route.

Thanks

Kashyap

[Josiah Carlson]

Redis protocol isn't encrypted, so you even with users/passwords should be passing your Redis through SSL if you want any sort of data or authentication security.

 - Josiah