Clarification on plain text password

Search Guard
1

In the elasticsearch.yml file, we have the node certificate and its password like below

searchguard.ssl.http.keystore_filepath: generated-certificates/CN=127.0.0.1-keystore.jks
searchguard.ssl.http.keystore_password: asdsadasdsad
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: asdsadasdasd

``

If any user gains access to this configuration file , will he able to connect to elastic search as a client by passing the node certificate jks file and password ?

Is there any provision to have these password encrypted in the config file ?

2

If one gets a node certificate and the keystore password it can be possible to boot a node and connect to the cluster and get the data.
So the node certificates and the password need to be kept secure (for example leveraging unix file permissions). To avoid plaintext passwords in config files you can
use environment variables to mitigate this.

But luckily there is one additional TLS feature which can help here: hostname validation
If this is enabled (which is the default) a attacker have to assign the hostname of the certificate to the hostile machine which is hard in a corporate network because you normally need access to the DNS server
to do this.

···

Am 01.11.2017 um 19:56 schrieb md md <lives1978@gmail.com>:

In the elasticsearch.yml file, we have the node certificate and its password like below

searchguard.ssl.http.keystore_filepath: generated-certificates/CN=127.0.0.1-keystore.jks
searchguard.ssl.http.keystore_password: asdsadasdsad
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: asdsadasdasd

If any user gains access to this configuration file , will he able to connect to elastic search as a client by passing the node certificate jks file and password ?

Is there any provision to have these password encrypted in the config file ?

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/978d3ffd-5107-42d6-9fa3-4c47f9f5fbd7%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

3

Thanks for the information

···

On Wednesday, November 1, 2017 at 9:56:50 PM UTC+3, md md wrote:

In the elasticsearch.yml file, we have the node certificate and its password like below

searchguard.ssl.http.keystore_filepath: generated-certificates/CN=127.0.0.1-keystore.jks
searchguard.ssl.http.keystore_password: asdsadasdsad
searchguard.ssl.http.truststore_filepath: generated-certificates/truststore.jks
searchguard.ssl.http.truststore_password: asdsadasdasd

``

If any user gains access to this configuration file , will he able to connect to elastic search as a client by passing the node certificate jks file and password ?

Is there any provision to have these password encrypted in the config file ?