How to securely handle multiple passwords


#1

Hi all,

I’ve been tasked with setting up a small proof of concept for StackStorm, before we take it any further. So far, initial feedback has been positive, and I’ve made some good ground over where we before. Anyway, my question is this: how do we securely collect, and pass, user passwords in a workflow?

So, some context… we’re a company that has to comply with PCI DSS regulations, so aggressive password expiry is enforced (regardless of the fact it doesn’t help with security, but let’s not go there…). Another feature of PCI DSS means that everything is segmented, so if we want to do a complex workflow, then it’ll need to cross over many different authentication zones (most, but not all of which will be AD backed).

Some of the workflow steps will be running existing PowerShell scripts, others BASH commands/scripts.

As a result of this, I think that the best way for us to design the workflows is for it to ask for each password that will be needed at run time, as this can be done by our users from the web UI, and doesn’t require any CLI interaction for constantly updating datastore objects as passwords expire.

So with that in mind, how can I securely capture the passwords, and pass them through to each of the different actions/scripts? (How BASH/PowerShell deals with the string it receives, I can worry about)

I can do this as a string (or a secret string), but that doesn’t seem particularly secure. Maybe I’m missing something really obvious, but I’ve not seen anything in my reading around…

Thanks!
Joe


#2

Are you trying to store the passwords somewhere, or are you trying to avoid storing passwords?

As a result of this, I think that the best way for us to design the workflows is for it to ask for each password that will be needed at run time, as this can be done by our users from the web UI, and doesn’t require any CLI interaction for constantly updating datastore objects as passwords expire.

It seems like you are trying to avoid storing passwords then. This is a fairly common pattern.

So with that in mind, how can I securely capture the passwords

Add secret: true to the password input of your workflow. I suspect you have already read it, but we do have a section on secrets in our documentation. Using secret: true will make StackStorm render the password input to your workflow in the web UI as a type=password field, and web browsers will mask that out as it is typed. The cleartext value can be passed to actions in a workflow.

and pass them through to each of the different actions/scripts?

If I understand this part of your question correctly, you should simply be able to create a workflow and pass the credentials to each action.

Also, if you haven’t yet, please review the secret masking page of our documentation for how to mask secrets out of API responses, logs, etc.

I can do this as a string (or a secret string), but that doesn’t seem particularly secure.

What, specifically, is not secure with this arrangement? Is there anything specific we can do to make it more secure for your use case?


(Eugen C.) #3

I’ve heard some groups were utilizing Hashicorp Vault for passwords management and integrated that securely into StackStorm core.
We didn’t see any incoming contribution or detailed info about that use case yet.


(James E. King III) #4

If I was going to add security I would look at integrating with Vault first.