conjur Hosts can acquire valid password via password change

Hosts can acquire valid password via password change

Open john-odonnell opened this issue 4 years ago • 0 comments

Summary

Hosts, as non-human roles, are intended to only have an API key, and not a password. Setting a host's password is possible by making a request to the API endpoint to change a role's password using curl and a valid form of authentication. The password is then accepted as a valid means of authentication.

Steps to Reproduce

curl -X PUT -v --data My-Passw0rd\! --user 'host/host1:<api_key>' http://<conjur_host>/authn/dev/password

Expected Results

Request to change a host's password should be denied.

Actual Results (including error logs, if applicable)

A successful password change, and HTTP status 204 indicating such.

Reproducible

[ ] Always
[ ] Sometimes
[ ] Non-Reproducible

Version/Tag number

1.10.0

Environment setup

Found using the Conjur development environment detailed here.

Additional Information

Nov 02 '20 14:11 john-odonnell

conjur conjur copied to clipboard

Hosts can acquire valid password via password change

Summary

Steps to Reproduce

Expected Results

Actual Results (including error logs, if applicable)

Reproducible

Version/Tag number

Environment setup

Additional Information

conjur
conjur copied to clipboard