-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CLI login timeout breaks security #32
Comments
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/156037909 The labels on this github issue will be updated when the story is started. |
@engrun token validity timeout is set in the uaa configuration. CredHub stores your UAA token when you login via the command line. If a client credential expires, UAA does not allow refresh (unlike a user grant). If you decode the token stored in your |
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/156048758 The labels on this github issue will be updated when the story is started. |
@engrun If that resolves your issue, please let us know |
We are using concourse-up, which bundles credhub, so we have no controll over the installation. I'll report an issue with them instead. Thanks for the info. Btw, what is the default token timeout? |
@engrun I'm not certain of UAA's default timeout, but from here https://github.com/EngineerBetter/concourse-up/blob/22ba6e5f4e49243a60e3fd98f60e3239b61e0592/bosh/assets/concourse.yml#L126 it appears that the timeout is explicitly being set to 30 seconds. If this token were given only |
@engrun Closing this out because it's not related to this project. |
What version of the credhub server you are using?
1.7.2
What version of the credhub cli you are using?
1.6.0
If you were attempting to accomplish a task, what was it you were attempting to do?
credhub login --client-name foo --client-secret bar -s --ca-cert
What did you expect to happen?
Login succeeds, and I would be logged in for a decent amount of time ( > 30 minutes )
What was the actual behavior?
Login succeeds, but I am forced to login over and over again (after every 30 seconds it seems).
Problem
This behaviour encourages all developers to set the password in their bashrc/zshrc files, meaning security is flawed as the password is suddenly exposed in files on every users computer.
This behaviour is now being observed after upgrading to 1.7.2
The text was updated successfully, but these errors were encountered: