Docker password still visible from credential store

[shen3lu4]

The reason of using this docker-credential-pass is to keep Docker password secure. Prior to this the password is stored in ~/.docker/config.json with a base64 encoding which can be easily decoded. However after following all the steps and successfully set up a credential store, I can still easily retrieve the password in plain text using this command: echo "<ServerURL>" | docker-credential-pass get

Is there something that I overlooked or didn't understand?

[joelnb]

Hi @shen3lu4

When creating your GPG key which you have configured pass with did you choose a password? If so you should only be able to access the plaintext password after typing the password for your key (possibly making use of gpg-agent). This would be the same level of security as every other password you have stored using pass (if you were using keepass this is a bit like having your database unlocked).

Personally I have my GPG key for pass stored on a smartcard so if I try and run your example command without the smartcard connected I get a message telling me to insert it. If I then insert the smartcard I get prompted too unlock it & then I am able to access passwords until the next time I remove & reconnect it.

Hope this helps and I have understood correctly what you are asking.

[shen3lu4]

Thanks for your reply. The problem I have is it never asks me for gpg passphrase when I try to retrieve the password. Here are my steps after the gpg key is generated with a passphrase:

$ pass init “<uid of the gpg key generated earlier>”
Password store initialized for <uid>
$ pass insert docker-credential-helpers/docker-pass-initialized-check
Enter password for docker-credential-helpers/docker-pass-initialized-check: <I entered a new password abcde>
Retype password for docker-credential-helpers/docker-pass-initialized-check: <reentered abcde>
#in fact I am not sure when this new password abcde is used
$ docker-credential-pass list
{}

#after that I do a docker login then run this:
$ echo "" | docker-credential-pass get
{"ServerURL":"","Username":"xxxx","Secret":"xxxxxx"}
#no gpg passphrase was ever asked

Could it be that the passphrase is stored somewhere? I am not using smartcard but I think there should be a similar level of security as well.

[joelnb]

I think probably you have a gpg-agent process running. You could check that with:

ps aux | grep [g]pg-agent

If it is running you should be able to run killall gpg-agent and the next time you try the command it should prompt for the passphrase again.

[fooksca]

That's the point of this software. Basically, it's a means of storing the password somewhere secure so that you can retrieve it without having to type your password again. However, only you can do so, because you're being logged in to your user account is the means by which it does so.

For example, on a Mac, it uses the Keychain to securely store your password. The Keychain is secured to your account, and when you log in, it unlocks it so you can access it without having to type your password in. When you log out, it is locked again.

You can see the mechanisms it uses here. You'll find it's using one of these, not GPG, to do it. (Although the mechanism itself may be using GPG under the covers.)

HTH.

[shen3lu4]

@fooksca Thanks! The issue we have is an admin user can easily retrieve the password as well when the passphrase is cached. Tried to find a way to prevent that.

[fooksca]

an admin user can easily retrieve the password as well when the passphrase is cached.

How have you "proved" that? That is, what are the steps you took (as what users, etc.) to prove this? The steps you describe above appear to be as the same user and, as such, everything is behaving correctly.

Have you tried to, e.g., save a password, log out, log in as root and then try to retrieve the password? (Don't just sudo, etc., because you may inherit the environment from the original user.) If that happens then that is of concern!

[joelnb]

I haven't proven it but I'm almost certain that if you're using the pass backend an admin user (with sudo access) can decrypt the password given that you are already logged in and have provided the passphrase to gpg-agent. I can't see any way that this would not be possible - there is nothing to stop the admin user from reading from/writing to the gpg-agent socket. They should not be able to decrypt it once you have logged out or if you have logged in but not started gpg-agent.

I personally use this backend so obviously I don't see this as a major issue - if you're going to access your credentials on a machine where somebody else has root access then you are basically compromising them.

[fooksca]

@joelnb, yeah, totally agree; anyone with root access has full access and all bets are off! But I meant it from a more mundane level. I was trying to show @shen3lu4, by going through that process, that the behaviour described is the point of the tool.

[shen3lu4]

@fooksca my steps are simply logging in as root and change $HOME to the other user's home directory. I didn't sudo back to that user. To @joelnb 's point, I guess there is no way to hide the password from an admin. The problem is our docker registry is set to every user's corporate password as it is integrated with AD.

[BeRoots]

I think the problem is because the docker-credentials-pass helper have bad permission settings. Ensure that only allowed users can run it using sudo. And ensure only the admin sudoer can run it (sudoers configuration)