I’ve been testing Hashicorp Vault (non enterprise edition) v1.12.x and came across a security issue when using the cli.
When using the
vault login command this will prompt you to enter a token, this can be a user token or the root token generated during the setup process.
Whilst this information is hidden when pasting/typing into a terminal, a hidden file called
.vault-token is created inside the home directory of the user account issuing the command.
The file is NOT encrypted and the token used is saved as plain-text, which the vault cli references when issuing commands to retrieve information or modify information stored in the vault database.
token line from this file will result in 403 errors (permission denied) when re-launching vault cli commands as it can no longer authenticate.
Exiting the current shell does NOT disconnect the authenticated session, nor does it remove/clear the
.vault-token file located in the home folder.
AdminUser1 logged into the Vault server via SSH and uses the
vault login option to perform some tasks via the cli, once they’ve completed their tasks, the shell session is terminated and they go about their day.
AdminUser2 logged into the Vault server via SSH to update some packages. This user does not have permission under normal circumstances to access the data stored in Vault. However as the
.vault-token file still exists they can easily run vault cli commands or retrieve the saved token to access the webUI as the previous user or root depending on which token was used.
Add a logout command for vault cli that removes all authentication data.
Add some level of encryption to the .vault-token file (or remove it completely).
When a session is closed the local authentication should be revoked from the server/service.
Add TTL (time-to-live) duration for this type of authentication.
If anyone has found a solution to this or if one already exists, don’t hesitate to reply here