Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Locked out? #20

Closed
rkeithhill opened this issue Sep 18, 2020 · 5 comments
Closed

Locked out? #20

rkeithhill opened this issue Sep 18, 2020 · 5 comments
Milestone
Preview 2

Comments

@rkeithhill
Copy link

What have I done to myself here?

馃敟09-18 16:32:39 20> Set-SecretStoreConfiguration -DoNotPrompt -Force

      Scope PasswordRequired PasswordTimeout DoNotPrompt
      ----- ---------------- --------------- -----------
CurrentUser             True             900        True

C:\Users\Keith>
馃敟0x8A150014 09-18 16:33:45 22> Get-Secret -Name SomePassword -AsPlainText
Get-Secret: A valid password is required to access the Microsoft.PowerShell.SecretStore vault.
Get-Secret: The secret SomePassword was not found.

C:\Users\Keith>
09-18 17:27:06 24> Set-SecretStoreConfiguration -PasswordRequired:$false

Confirm
Are you sure you want to perform this action?
Performing the operation "Changes local store configuration" on target "SecretStore module local store".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
Set-SecretStoreConfiguration: A valid password is required to access the Microsoft.PowerShell.SecretStore vault.

C:\Users\Keith>
馃敟09-18 17:27:16 25> Get-SecretStoreConfiguration
Get-SecretStoreConfiguration: A valid password is required to access the Microsoft.PowerShell.SecretStore vault.

If we are actually supposed to be able to disable the password requirement, then this syntax is not great -PasswordRequired:$false. Might be better to have -EnablePasswordRequired and DisablePasswordRequired.
@PaulHigin
Copy link
Contributor

The above is by design. You need to unlock the store before you can change the configuration password setting with 'Unlock-SecretStore', since prompting is turned off. But maybe a prompt should always occur in this case, or a better error message.

We want to be secure by default, and decided to use -PasswordRequired and make it a little bit difficult to turn it off since no password use is much less secure.

But I am open to changes as long as default always goes to 'most secure'.

@rkeithhill
Copy link
Author

You need to unlock the store before you can change the configuration ...

That makes sense but why is Get-SecretStoreConfiguration failing? Seems like that should not fail in this case i.e. does the display of the store config need to be password protected?

a better error message.

Yeah, maybe something indicating that the vault is locked, and since password prompting is disabled, it needs to be unlocked via Unlock-SecretStore.

@ThomasNieto
Copy link

If PasswordRequired is set to false I would expect SecretStore (Get-SecretStoreConfiguration) cmdlets to implicitly unlock the store without needing to explicitly unlocking the store with Unlock-SecretStore.

@PaulHigin
Copy link
Contributor

Yes, it works that way now. The above repro started with a required password, turned off prompting and then tried to access the store, and failed because the store was locked. In this case a password is required to access the store or change the password configuration and is by design. However, better error reporting or always allow prompting in this case may be a better experience.

@ThomasNieto ThomasNieto mentioned this issue Sep 21, 2020
Closed
@SydneyhSmith SydneyhSmith added this to the Preview 2 milestone Sep 23, 2020
@PaulHigin
Copy link
Contributor

Closing as 'answered'.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Preview 2
Development

No branches or pull requests
4 participants
@rkeithhill @PaulHigin @ThomasNieto @SydneyhSmith