[Geoserver-users] Disable the root account ?

On Tue, Jan 30, 2018 at 10:57 PM, Olivier Dalang <olivier.dalang@anonymised.com> wrote:

Dear List,

I’m currently trying to configure Geoserver for production, and would like to have a setup that is as secure as possible by disabling the root account login. Am I right understand this is not possible ?

Correct, this is not possible. The only hack is to manipulate the file containing the digest for the master password, but this is not recommended.

I get the idea of having a root password to encrypt the keystore, and I also get the necessity for this password to be encrypted with a constant key by default. But I fail to understand why it should be possible to login to the live server with this password.

It is a possibility to log in if

• nobody knows the admin password
• you have damaged your user/group service (e.g file corrupt or lost)
• your user/group service is not available (e. g your LDAP server is down).

Remember, user and passwords can be stored in different user/group service implementations whilst the root/master password login works without any attached user/group service. Out of the box GeoServer uses
an XML file based user/group service but many other deployments use LDAP, Tables in an SQL database and so on.

This means that if someone gets hold of an old backup, instead of being able only to decrypt whatever was in that old backup (which may not be too useful provided I use digests for user passwords), he can now login the live server, and have complete access to everything.

Not if you have your own master password provider (securing the provider is your responsibility) or the master password has changed in the meantime. Access control for backups is beyond the scope of Geoserver.

Also it doesn’t seem useful at all, as if I forget the root password and the admin passwords, I could just reconfigure a temporary admin user, and recover the root password from there.

Of course, if you have full access to your user/group service but this is not always the case.

Thanks to Christian, I understood it’s possible to use an external file for the root password (outside of the data directory), which is a great improvement in terms of security, but makes it very easy to completely loose access to the keystore.

Hmmm, the URL master password provider requires an URL, you can fetch your master password from other backend systems as you like. It has not to be a file.

Couldn’t there be just a simple config allowing to disable login from the root account ? Or are there workarounds ? Or is there something else I didn’t get (I’m quite new to Geoserver) ?

A simple config would be to have Y oder N in a GeoServer config file. If somebody has access to the file system it is easy to turn it on or off.

Thank you !!

Olivier

Cheers
Cristian

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Jan 31, 2018 at 7:09 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi Olivier

Answers inside

On Tue, Jan 30, 2018 at 10:57 PM, Olivier Dalang <olivier.dalang@anonymised.com> wrote:

Dear List,

I’m currently trying to configure Geoserver for production, and would like to have a setup that is as secure as possible by disabling the root account login. Am I right understand this is not possible ?

Correct, this is not possible. The only hack is to manipulate the file containing the digest for the master password, but this is not recommended.

I get the idea of having a root password to encrypt the keystore, and I also get the necessity for this password to be encrypted with a constant key by default. But I fail to understand why it should be possible to login to the live server with this password.

It is a possibility to log in if

• nobody knows the admin password
• you have damaged your user/group service (e.g file corrupt or lost)
• your user/group service is not available (e. g your LDAP server is down).

Remember, user and passwords can be stored in different user/group service implementations whilst the root/master password login works without any attached user/group service. Out of the box GeoServer uses
an XML file based user/group service but many other deployments use LDAP, Tables in an SQL database and so on.

This means that if someone gets hold of an old backup, instead of being able only to decrypt whatever was in that old backup (which may not be too useful provided I use digests for user passwords), he can now login the live server, and have complete access to everything.

Not if you have your own master password provider (securing the provider is your responsibility) or the master password has changed in the meantime. Access control for backups is beyond the scope of Geoserver.

Also it doesn’t seem useful at all, as if I forget the root password and the admin passwords, I could just reconfigure a temporary admin user, and recover the root password from there.

Of course, if you have full access to your user/group service but this is not always the case.

Thanks to Christian, I understood it’s possible to use an external file for the root password (outside of the data directory), which is a great improvement in terms of security, but makes it very easy to completely loose access to the keystore.

Hmmm, the URL master password provider requires an URL, you can fetch your master password from other backend systems as you like. It has not to be a file.

Couldn’t there be just a simple config allowing to disable login from the root account ? Or are there workarounds ? Or is there something else I didn’t get (I’m quite new to Geoserver) ?

A simple config would be to have Y oder N in a GeoServer config file. If somebody has access to the file system it is easy to turn it on or off.

Thank you !!

Olivier

Cheers
Cristian

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH