-
Notifications
You must be signed in to change notification settings - Fork 581
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow fetching the ticket salt via REST API #7863
Disallow fetching the ticket salt via REST API #7863
Conversation
We have to coordinate this with @Thomas-Gelf since afaik the Director makes use of this salt. |
@lippserd Thanks for mentioning, I forgot to copy the commit message into this PR.
|
Well, some time later, this issue was rediscovered and considered more urgent which lead to GHSA-98wp-jc6q-x5q5. Commit 4fca009 is therefore obsolete now. I'd still consider including 6a566ef though. |
@julianbrost Thanks for finally fixing the security problem after 5 years (Icinga/icingaweb2-module-director#401 #4485). It had been tiring to argue for the change, disallowing auto-signing tricked by agent setups for convenience. Yet I imagine that there are countless installations out there which have the raw ticket_salt private key fetch mechanism embedded in their scripts, following the bad practice suggested by upstream. Feel free to cherry-pick the mentioned commit and/or close the PR, I don't have access to this repository anymore. |
6a566ef
to
4d57de2
Compare
Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Michael Friedrich.
|
@bobapple If you can and want to do something about this, please do it. Otherwise feel free not to do it. We all know the situation from law POV and I don’t care for that one red CI result. |
Create a new PR with that change and remove this one. Or reset the author. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
curl -ksSu root:123456 -H 'Accept: application/json' https://127.0.0.1:5665/v1/variables\?pretty\=1 |grep TicketSalt
Before
"name": "TicketSalt",
After
Even resetting the author so that GitHub recognises him doesn’t help (not to mention .mailmap): Al2Klimov#15 Not the first time we ignore some checks knowing that actually everything is OK. 🤷♂️ |
For security reasons, we should disable fetching this credential specific constant.