Passwords in the configuration
nevisAuth sometimes requires passwords to access resources such as keystores, LDAP back ends or RADIUS servers. There are methods to minimize the risk that those passwords are disclosed to people or services that lack the required privileges. Depending on which method you choose, the risk of disclosure varies.
The support of the syntax presented below is dependent on each AuthState implementation. It is only supported by properties where we expect to receive a password or key material.
The following table describes and classifies the methods and provides syntax examples:
| Name of method | Description | Example |
|---|---|---|
| Plain passwords | Storing passwords in clear text is obviously the simplest and least secure method. People and services that have access to the configuration file, such as the esauth4.xml file, will also have access to the passwords used to access other resources. | mysecret |
| Obfuscated passwords | nevisAuth allows to obfuscate passwords using the command nevisauth encSecret. This is almost as simple as storing plain passwords. It only slightly decreases the likelihood of the password being stolen. | secret://J951RtFIiHvtBahr2zeRqVeNejRjlG6W+ITWJ3R7XTM= |
| Passwords from external files | Passwords can be stored in external files and accessed through a URL to the filesystem. Using this method, passwords will not be disclosed in the configuration itself. Only system administrators with privileges to read the file will have access to the plain text passwords. | file:///path/to/passphrase/file/passphrase.txt |
| Piped passwords through commands | It is possible to read passwords from external files. Thus, the passwords cannot be stolen if the esauth4.xml file is shared among other unprivileged users or services, for example, if checked into a repository. The passwords must remain with limited permission on the machine running the nevisAuth process. | pipe:///opt/neviskeybox/bin/keystorepwget**/var/opt/keybox/nevis/authSigner_keystore.jks |
| nevisCred | Using nevisCred is the most secure method for storing passwords. nevisCred is a credential manager designed to store AES-encrypted passwords using a master key, a hardcoded key and a password identifier. Refer to the nevisCred reference guide for details about the internals, setup and configuration. | neviscred://keybox.default.nevis.authSigner |