Searchguard SSL 2.2.1 - Hashing Keystore & Trustore passwords in elasticsearch.yml

Hello,
Is there a way to hash the SearchGuard SSL passwords in the elasticsearch.yml ?

(similiar to the ability to do so for the internal users passwords)

searchguard.ssl.transport.keystore_password: $2a$12$6yYNpk.hUgA2jZqGJZ3koOftlAPJeoV9MQoZU0I/cFJx2mgWukcNS

searchguard.ssl.http.keystore_password: $2a$12$6yYNpk.hUgA2jZqGJZ3koOftlAPJeoV9MQoZU0I/cFJx2mgWukcNS

searchguard.ssl.transport.truststore_password: $2a$12$6yYNpk.hUgA2jZqGJZ3koOftlAPJeoV9MQoZU0I/cFJx2mgWukcNS

searchguard.ssl.http.truststore_password: $2a$12$6yYNpk.hUgA2jZqGJZ3koOftlAPJeoV9MQoZU0I/cFJx2mgWukcNS

It seems that the code src/main/java/com/floragunn/searchguard/ssl/SearchGuardKeyStore.java is assuming the passwords are regular properties in plain-text (or a default “changeit” )

Thanks

Liad

There is no way to do it. This is because of two reasons:
- its not possible to hash the password cause the plain passwords are needed inside the code (java api)
- it would make no real sense to encrypt them and decrypt them when we need the plain value cause we had to store the key also somehere on the disk. This would make it harder for an attacker but from a security point of view it would not add any real additional security. There is one scenario where this could make possibly sense: If you like to checkin the config (elasticsearch.yml) into a version control system and the key would reside on the server only. But i would not recommend such an approach.

···

Am 19.05.2016 um 07:44 schrieb Liad Levi-Raz <liadl777@gmail.com>:

Hello,
Is there a way to hash the SearchGuard SSL passwords in the elasticsearch.yml ?
(similiar to the ability to do so for the internal users passwords)

searchguard.ssl.transport.keystore_password: $2a$12$6yYNpk.hUgA2jZqGJZ3koOftlAPJeoV9MQoZU0I/cFJx2mgWukcNS
searchguard.ssl.http.keystore_password: $2a$12$6yYNpk.hUgA2jZqGJZ3koOftlAPJeoV9MQoZU0I/cFJx2mgWukcNS
searchguard.ssl.transport.truststore_password: $2a$12$6yYNpk.hUgA2jZqGJZ3koOftlAPJeoV9MQoZU0I/cFJx2mgWukcNS
searchguard.ssl.http.truststore_password: $2a$12$6yYNpk.hUgA2jZqGJZ3koOftlAPJeoV9MQoZU0I/cFJx2mgWukcNS

It seems that the code src/main/java/com/floragunn/searchguard/ssl/SearchGuardKeyStore.java is assuming the passwords are regular properties in plain-text (or a default "changeit" )

Thanks
Liad

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f37233ae-d527-49ad-8fdc-f7bc48c4ac10%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

Thank you for the quick reply.
I have strict security requirements, not to keep any plain passwords on the disk.

We will try to think of something.

Best regards,
Liad