Masking password for kibana basic authentication login

  • Search Guard and Elasticsearch version

SearchGuard 6 - 6.2.2-21
Search-guard-kibana-plugin-6.2.2-10

Elasticsearch & Kibana - 6.2.2

  • Installed and used enterprise modules, if any

none

  • JVM version and operating system version

OpenJDK Runtime Environment (build 1.8.0_161-b14)

   OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode) 

   Red Hat Enterprise Linux Server release 7.4 (Maipo)
  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Hi,

Following is the http request being send from search guard for login. Here the username and password are sent as JSON in body of a POST method and can be seen by anyone sniffing the http request.

Is there a way to mask/hide the username and password? Is there any setting to send password in headers?

┌───────────────────────────────────────────────────────────────────────────
│ 192.168.10.39 ──http─► 192.168.10.51
├───────────────────────────────────────────────────────────────────────────
│POST /app/kibana/api/v1/auth/login HTTP/1.1
│Host: host10dot51c.server36.lab
│User-agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

│Accept: application/json, text/plain, /
│Accept-Language: en-US,en;q=0.9
│Accept-Encoding: gzip, deflate, br
│Cookie: JSESSIONID=0000ApvHwDtXcCbc2O0KUhKo_8H:-1
│Connection: keep-alive
│Origin: https://host10dot51c.server36.lab
│Content-Type: application/json;charset=UTF-8
│Content-Length: 50

│{
│ “password” : “Password1”,
│ “username” : “kibanaadmin”
│}

``

Why are you using HTTP with searchguard? The whole point of searchguard is to enable https between kibana, elasticsearch.

···

On Wed, Aug 1, 2018 at 10:27 AM, ihjaz Mohamed ihjazmohamed@gmail.com wrote:

  • Search Guard and Elasticsearch version

SearchGuard 6 - 6.2.2-21
Search-guard-kibana-plugin-6.2.2-10

Elasticsearch & Kibana - 6.2.2

  • Installed and used enterprise modules, if any

none

  • JVM version and operating system version

OpenJDK Runtime Environment (build 1.8.0_161-b14)

   OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode) 
   Red Hat Enterprise Linux Server release 7.4 (Maipo)
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Hi,

Following is the http request being send from search guard for login. Here the username and password are sent as JSON in body of a POST method and can be seen by anyone sniffing the http request.

Is there a way to mask/hide the username and password? Is there any setting to send password in headers?

┌───────────────────────────────────────────────────────────────────────────
│ 192.168.10.39 ──http─► 192.168.10.51
├───────────────────────────────────────────────────────────────────────────
│POST /app/kibana/api/v1/auth/login HTTP/1.1
│Host: host10dot51c.server36.lab
│User-agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

│Accept: application/json, text/plain, /
│Accept-Language: en-US,en;q=0.9
│Accept-Encoding: gzip, deflate, br
│Cookie: JSESSIONID=0000ApvHwDtXcCbc2O0KUhKo_8H:-1
│Connection: keep-alive
│Origin: https://host10dot51c.server36.lab
│Content-Type: application/json;charset=UTF-8
│Content-Length: 50

│{
│ “password” : “Password1”,
│ “username” : “kibanaadmin”
│}

``

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d5af9282-a6f5-4311-9373-3638f0b5069f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Sending passwords in headers instead of the POST body does not help if you are using HTTP instead of HTTPS. With unencrypted connections everything can be sniffed, including headers. Using HTTP here is basically the same as using HTTP in online banking: Insecure :wink:

So I agree, you need to use HTTPS everywhere, means:

Browser -> Kibana -> Elasticsearch

That’s the only to avoid usernames and passwords being sniffed.

···

On Wednesday, August 1, 2018 at 4:27:00 PM UTC+2, ihjaz Mohamed wrote:

  • Search Guard and Elasticsearch version

SearchGuard 6 - 6.2.2-21
Search-guard-kibana-plugin-6.2.2-10

Elasticsearch & Kibana - 6.2.2

  • Installed and used enterprise modules, if any

none

  • JVM version and operating system version

OpenJDK Runtime Environment (build 1.8.0_161-b14)

   OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode) 
   Red Hat Enterprise Linux Server release 7.4 (Maipo)
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Hi,

Following is the http request being send from search guard for login. Here the username and password are sent as JSON in body of a POST method and can be seen by anyone sniffing the http request.

Is there a way to mask/hide the username and password? Is there any setting to send password in headers?

┌───────────────────────────────────────────────────────────────────────────
│ 192.168.10.39 ──http─► 192.168.10.51
├───────────────────────────────────────────────────────────────────────────
│POST /app/kibana/api/v1/auth/login HTTP/1.1
│Host: host10dot51c.server36.lab
│User-agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

│Accept: application/json, text/plain, /
│Accept-Language: en-US,en;q=0.9
│Accept-Encoding: gzip, deflate, br
│Cookie: JSESSIONID=0000ApvHwDtXcCbc2O0KUhKo_8H:-1
│Connection: keep-alive
│Origin: https://host10dot51c.server36.lab
│Content-Type: application/json;charset=UTF-8
│Content-Length: 50

│{
│ “password” : “Password1”,
│ “username” : “kibanaadmin”
│}

``