You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the MinIO client mc allows getting information about a given service account via the mc admin user svcacct info command. By parsing the content one can check whether a service account (a.k.a. access key) is active or does not exist, among other things.
I would like to suggest adding a new option to this command to be able to validate the credentials of a given service account, so that it would fail if the provided password (a.k.a. secret key) has changed. Example:
mc admin user svcacct auth ACCESSKEY SECRETKEY
This could return, for example, 0 if it succeeded, 1 if it failed and 2 if the service account does not exist.
Thanks.
The text was updated successfully, but these errors were encountered:
This command would not require any additional permissions for the service account to be run, as it would already be an implicit requirement for it to do whatever it would be already doing, e.g., listing the contents of a private bucket.
I think there is a security vulnerability here. If I find that the account exists, I can keep retrying the password and potentially hack into the account in theory. @harshavardhana
Currently, the MinIO client
mc
allows getting information about a given service account via themc admin user svcacct info
command. By parsing the content one can check whether a service account (a.k.a. access key) is active or does not exist, among other things.I would like to suggest adding a new option to this command to be able to validate the credentials of a given service account, so that it would fail if the provided password (a.k.a. secret key) has changed. Example:
mc admin user svcacct auth ACCESSKEY SECRETKEY
This could return, for example,
0
if it succeeded,1
if it failed and2
if the service account does not exist.Thanks.
The text was updated successfully, but these errors were encountered: