I’ve been tasked with setting up a small proof of concept for StackStorm, before we take it any further. So far, initial feedback has been positive, and I’ve made some good ground over where we before. Anyway, my question is this: how do we securely collect, and pass, user passwords in a workflow?
So, some context… we’re a company that has to comply with PCI DSS regulations, so aggressive password expiry is enforced (regardless of the fact it doesn’t help with security, but let’s not go there…). Another feature of PCI DSS means that everything is segmented, so if we want to do a complex workflow, then it’ll need to cross over many different authentication zones (most, but not all of which will be AD backed).
Some of the workflow steps will be running existing PowerShell scripts, others BASH commands/scripts.
As a result of this, I think that the best way for us to design the workflows is for it to ask for each password that will be needed at run time, as this can be done by our users from the web UI, and doesn’t require any CLI interaction for constantly updating datastore objects as passwords expire.
So with that in mind, how can I securely capture the passwords, and pass them through to each of the different actions/scripts? (How BASH/PowerShell deals with the string it receives, I can worry about)
I can do this as a string (or a secret string), but that doesn’t seem particularly secure. Maybe I’m missing something really obvious, but I’ve not seen anything in my reading around…