Implement UsernamePassword method #9
Conversation
conf/cepces.conf.dist
Outdated
| # Use the following AD password. | ||
| # | ||
| # Default: <not defined> | ||
| #password = ADpassword |
There was a problem hiding this comment.
This is not a good idea. I don't want AD passwords stored in a plain text file.
There was a problem hiding this comment.
I am not too fond of the idea either. However that concept was already in the part of the code for UsernamePassword authentication found in the master branch.
There was a problem hiding this comment.
Yeah, I didn't write that code ;-)
I think we could make this work with the creds stored in a keyring, if you want to pursue the idea.
|
I don't think we should be implementing the username/password authentication, because this encourages users to place passwords in a plain-text file (at least the way it is currently written). |
|
@hansjoachimknobloch Maybe you could separate the UsernamePassword and Certificate auth methods into 2 different merge requests here. I'm ok with the Certificate auth. |
|
@dmulder What would you think about using a fitting certmonger getcert-request command-line parameter for transferring the AD password to cepces-submit as environment variable. "-L" might work. |
IIRC, you can list those later, so you would still be exposing the password. |
Thinking about it twice, -L probably wouldn't even work the way I imagined because certmonger will incorprate the SCEP challenge password directly into the CSR and not even pass it to cepces-submit in a separate environment variable. |
dmulder
changed the title
We could provide a cepces-submit command line parameter, then overwrite the args to prevent seeing the password in a |
And by the way:
Despite Microsoft saying otherwise in some parts of their documentation, Certificate authentication to CEP/CES doe not require message authentication but works with transport authentication using a TLS client certificate for HTTPS.