• iamjackflack@lemm.ee
    link
    fedilink
    English
    arrow-up
    27
    arrow-down
    1
    ·
    edit-2
    5 months ago

    Am I the only one in this thread that took this as it’s asking for a clear text credential which is a terrible idea?

    • vithigar
      link
      fedilink
      English
      arrow-up
      30
      ·
      5 months ago

      A temporary one that you’re expected to remove as soon as you’ve created the admin user(s) you need, but yes. It should only be there during initial setup and ideally removed before the server is ever exposed to the internet.

      • BradleyUffner@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        5 months ago

        The “if you no longer need it” part doesn’t really suggest that you are expected to do it as part of normal operation.

      • iamjackflack@lemm.ee
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        2
        ·
        5 months ago

        Yes because having a user remember to do something is a great line of defense, better than encrypting it from the get go. It should just be encrypted in the file.

        • gsfraley@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          5 months ago

          I think that’s the way both Splunk and JFrog work – you generate or enter a password into the key field in a YAML file somewhere, start the service, and next time you come back the field’s been encrypted.