Hi! I was reading this interesting article about attack your own vault.
I just follow the steps described in order to get a dump of vault memory process, then I played with some grep search and I found this:
{
“lease_id”: “auth/ldap/login/admin/h2675303asdasdsa1a60667875846b59a3ca”,
“client_token”: “s.asdasdopiasdpoiasdopaisd”,
“token_type”: 0,
“path”: “auth/ldap/login/admin”,
“data”: null,
“secret”: null,
“auth”: {
“lease”: 2764800000000000,
“max_ttl”: 0,
“renewable”: true,
“internal_data”: {
"password": "adminpassword"
},
…
This json represents an access token generated by LDAP auth method, with the username and password in cleartext. Right, all theses information is inside the Barrier, but i didn’t expect to find it there. Why Vault keep this password in memory if the authentication process has finished?
After that I execute a tcpdump in my LDAP in order to identify when Vault called ldap again, then I played around Vault, finally I found a called from Vault when I renewed the original access token.
Is this the expected behaviour?
I went through all the documentation and didn’t find anything about it.
Thanks!
Thanks!