Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CLI login timeout breaks security #32

Closed
engrun opened this issue Mar 16, 2018 · 7 comments
Closed

CLI login timeout breaks security #32

engrun opened this issue Mar 16, 2018 · 7 comments

Comments

@engrun
Copy link

engrun commented Mar 16, 2018

What version of the credhub server you are using?

1.7.2

What version of the credhub cli you are using?

1.6.0

If you were attempting to accomplish a task, what was it you were attempting to do?

credhub login --client-name foo --client-secret bar -s --ca-cert

What did you expect to happen?

Login succeeds, and I would be logged in for a decent amount of time ( > 30 minutes )

What was the actual behavior?

Login succeeds, but I am forced to login over and over again (after every 30 seconds it seems).

Problem

This behaviour encourages all developers to set the password in their bashrc/zshrc files, meaning security is flawed as the password is suddenly exposed in files on every users computer.
This behaviour is now being observed after upgrading to 1.7.2
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/156037909

The labels on this github issue will be updated when the story is started.

@ebeer
Copy link
Contributor

ebeer commented Mar 16, 2018

@engrun token validity timeout is set in the uaa configuration. CredHub stores your UAA token when you login via the command line. If a client credential expires, UAA does not allow refresh (unlike a user grant). If you decode the token stored in your ~/.credhub/config.json (with something like https://jwt.io/) after login, that would be a quick way to validate what token expiration is set for your credentials so you can adjust accordingly.

@ebeer ebeer closed this as completed Mar 16, 2018
@ebeer ebeer reopened this Mar 16, 2018
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/156048758

The labels on this github issue will be updated when the story is started.

@ebeer
Copy link
Contributor

ebeer commented Mar 16, 2018
edited

@engrun If that resolves your issue, please let us know

@engrun
Copy link
Author

engrun commented Mar 19, 2018
edited

We are using concourse-up, which bundles credhub, so we have no controll over the installation. I'll report an issue with them instead. Thanks for the info. Btw, what is the default token timeout?

@engrun engrun mentioned this issue Mar 19, 2018
Closed
@ebeer
Copy link
Contributor

ebeer commented Mar 19, 2018
edited

@engrun I'm not certain of UAA's default timeout, but from here https://github.com/EngineerBetter/concourse-up/blob/22ba6e5f4e49243a60e3fd98f60e3239b61e0592/bosh/assets/concourse.yml#L126 it appears that the timeout is explicitly being set to 30 seconds. If this token were given only password and refresh_token scopes you would not be seeing this issue. The inclusion of client_credentials on line 123 of that config is overriding the other scopes.

@crawsible
Copy link

@engrun Closing this out because it's not related to this project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@engrun @ebeer @cf-gitbot @crawsible