cepces icon indicating copy to clipboard operation
cepces copied to clipboard

Published 20 hours ago verified publisher icon openSUSE

Implement UsernamePassword method

Open hansjoachimknobloch opened this issue 2 years ago • 6 comments

And by the way: Despite Microsoft saying otherwise in some parts of their documentation, Certificate authentication to CEP/CES doe not require message authentication but works with transport authentication using a TLS client certificate for HTTPS.

hansjoachimknobloch avatar Mar 22 '22 12:03 hansjoachimknobloch

I don't think we should be implementing the username/password authentication, because this encourages users to place passwords in a plain-text file (at least the way it is currently written). An alternative I'd consider is if we stored the creds in a keychain (such as using python keyring).

dmulder avatar Mar 22 '22 14:03 dmulder

@hansjoachimknobloch Maybe you could separate the UsernamePassword and Certificate auth methods into 2 different merge requests here. I'm ok with the Certificate auth. Then we could continue to work through a potential solution for UsernamePassword auth.

dmulder avatar Mar 22 '22 14:03 dmulder

@dmulder What would you think about using a fitting certmonger getcert-request command-line parameter for transferring the AD password to cepces-submit as environment variable. "-L" might work. However I do not yet know whether and if so, where, certmonger stores such passwords for certificate renewal.

hansjoachimknobloch avatar Mar 22 '22 14:03 hansjoachimknobloch

@dmulder What would you think about using a fitting certmonger getcert-request command-line parameter for transferring the AD password to cepces-submit as environment variable. "-L" might work. However I do not yet know whether and if so, where, certmonger stores such passwords for certificate renewal.

IIRC, you can list those later, so you would still be exposing the password.

dmulder avatar Mar 22 '22 14:03 dmulder

IIRC, you can list those later, so you would still be exposing the password.

Thinking about it twice, -L probably wouldn't even work the way I imagined because certmonger will incorprate the SCEP challenge password directly into the CSR and not even pass it to cepces-submit in a separate environment variable.

hansjoachimknobloch avatar Mar 22 '22 15:03 hansjoachimknobloch

@dmulder What would you think about using a fitting certmonger getcert-request command-line parameter for transferring the AD password to cepces-submit as environment variable. "-L" might work. However I do not yet know whether and if so, where, certmonger stores such passwords for certificate renewal.

We could provide a cepces-submit command line parameter, then overwrite the args to prevent seeing the password in a ps.

dmulder avatar Jul 11 '22 15:07 dmulder