Replace admin:admin default credentials

[setiah]

Is your feature request related to a problem? Please describe.
The default admin:admin credential is too weak and a sure-fire way to get hacked. Though the documentation recommends users to change the default passwords, it can be easily missed. Such weak defaults can be very easily exploited and lead to massive data leaks (remember Equifax attack?).

The second gap is, in the existing distribution, there's no default password policy to ensure stronger passwords. It needs to be configured explicitly by users. That is why such weak credentials are able to slip through the cracks.

Describe the solution you'd like
Remove the default passwords provided in internal_users.yml. Instead, have the admin user setup passwords for internal users once the OpenSearch process is up. These passwords can be set up post-installation using a REST API and admin certificates (for authentication). Setting password for admin user would look something like -

PATCH _opendistro/_security/api/internalusers/admin --key admin-key.pem --cert admin.pem --cacert root-ca.pem -d'
{
    "password": "quCn52_8\*N8"
}
'

To make this further easy, OpenSearch distribution could provide a tool such as an OpenSearch shell client to make it easy for admin user to configure all users. This shell client could also help with autogenerating strong passwords and can be further extended to support for more administrative functions in future.

In addition to this, we should also add a default password policy to only allow passwords that match a certain strength criteria. Obv, these policies are overridable depending on the user/enterprise needs. Having a strong default policy will protect against insecure password configurations.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
This is related to opensearch-project/OpenSearch#1618

Task breakdown

• Remove default passwords for inbuilt users in internal_users.yml, deprecate now and remove password field from yml in 2.0
• Configure strong default password policy and also make it overridable via yml.
• Write tool for password setup (to be used by admin).
• Add auto-password-generation logic to the tool to ease user experience during setup.
• Integrate auto-password generation into security plugin bootstrap logic #1787

[dredwilliams]

Agreed -- the inability to change the admin password in particular without wiping the internal user database is a problem.

[AmiStrn]

It seems like this is assuming use of the security plugin. It should be optional to use the security plugin.

I believe this should be mobed to the security plugin repo here - https://github.com/opensearch-project/security

[setiah]

@CEHENKLE I don't have permissions to transfer issues to the security plugin repo. Could you pls do that?

[PhilipMay]

This is a super important security issue. Can you please prioritize it?

PS: it seems like there is something that could handle this - but it is 1. not documented and 2. I am not sure how and if it even works.

https://github.com/opensearch-project/OpenSearch/blob/0ba0e7cc26060f964fcbf6ee45bae53b3a9941d0/distribution/docker/src/docker/bin/docker-entrypoint.sh#L58

[CEHENKLE]

@PhilipMay Agree. Take a look at: opensearch-project/OpenSearch#1029 We plan to make changes this year in a major version, but let's not wait if there are low things we can do before that.

[peternied]

There was a related issue filed opensearch-project/security-dashboards-plugin#1008 where the admin password was not able to be updated in the UX

[zalseryani]

Any update on this case !!

[kingnarmer]

Checking if there is update on this issue ?

[zalseryani]

@kingnarmer

The only way to solve this issue is to add your internal_users.yml under securityConfig.config.data.config.yml configuration section in your helm chart.

Ex:

      internal_users.yml: |-
        ---
        _meta:
          type: "internalusers"
          config_version: 2

        admin:
          hash: ""
          reserved: true
          backend_roles:
          - "admin"

• Use the help of this website to bycrypt hash your password Online Bcrypt Hash Generator

[dblock]

I wrote up https://code.dblock.org/2023/08/08/changing-the-default-admin-password-in-opensearch.html which should show how hard this is to actually do today. I like the idea that the system would come up with a generated password, and require changing that password in a secure way on start.

[decyphertek-io]

Opensearch admin:admin Debian/Ubuntu Solution:

 # Install Opensearch
 sudo apt update && sudo apt upgrade -y
 sudo apt-get update && sudo apt-get -y install lsb-release ca-certificates curl gnupg2
 # This command appears in two lines, make sure to include them in one.
 curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings 
 /opensearch-keyring
 # This command appears in two lines, make sure they are one. 
 echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch  
 /2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-2.x.list
 sudo apt update && sudo apt install opensearch -y 
 sudo vim /etc/opensearch/opensearch-security/internal_users.yml
 # change reserved: true to reserved: false ( Only on admin , kibanaserver referenced in opensearch_dashboard.yml)
 # Optional: Change the password via hash. ( See command below, not required if reserved:false , can change from GUI. )
 # Optional: Keep in mind reserved:true makes the account immutable. If you need that, then keep it, cant change from GUI.
 
 # Install opensearch-dashboard
 # This command appears in two lines, make sure they are one. 
 curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings 
 /opensearch-keyring
 # This command appears in two lines, make sure they are one
 echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch- 
 dashboards/2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-dashboards-2.x.list
 sudo apt update && sudo apt install opensearch-dashboards -y 
 sudo vim /etc/opensearch-dashboards/opensearch_dashboards.yml
 # uncomment server.port: 5601 
 # uncomment and change server.host: "localhost" to server.host: "0.0.0.0"
 # Issue: If you change the kibanaserver password in internal users, you have to add this to opensearch dashboards config.
 # Issue: Do not use ! points in your password hash generator, since it will call bash history and passwords will not match. 

 # Opensearch 2.x > Java 17 compatible
 sudo apt install openjdk-17-jdk 
 export JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:bin/java::") 
 export OPENSEARCH_JAVA_HOME=$JAVA_HOME 
 java --version 
 echo $JAVA_HOME  
 echo $OPENSEARCH_JAVA_HOME 

 # Start the daemons
 sudo systemctl daemon-reload
 sudo systemctl enable opensearch
 sudo systemctl start opensearch
 sudo systemctl enable opensearch-dashboards
 sudo systemctl start opensearch-dashboards

 # Login ( Can now manage all users from GUI ) 
 http://ip-of-server:5601
 user: admin
 pass: admin
 manage users > management > security > internal users > delete & change passwords

 # Verify opensearch works with new password set:
 curl -XGET -k -u 'admin:NEWPASSWORD' 'https://localhost:9200/_cluster/health?pretty'

 # HTTPS options OpenSearch-Dashboard
 * nginx
 * search guard ( Compatibility unclear 7.10) 
 * Security script process.

 # (Optional) Opensearch Security Script Method:
 # Add your chosen password has to the internal users yml.
 sudo  /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh -p <new-password>

 # Update the Internal users yml
 sudo vim /etc/opensearch/opensearch-security/internal_users.yml

 # Dev certs, to generate your own - https://opensearch.org/docs/latest/security/configuration/generate-certificates/
 # This appears on three lines, except should be one command. 
 sudo /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -f /etc/opensearch/opensearch-security 
 /internal_users.yml -t internalusers  -icl -nhnv -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/kirk.pem -key 
 /etc/opensearch/kirk-key.pem

[peternied]

@scrawfor99's pull request [1] to address this issue was recently merged in to main. We are about to backport this change into 2.x and want to get some feedback on how we think about approaching this.

Currently Planned Behavior

If a password for the admin account is not supplied, the demo_configuration script will exit early with the following message.

echo "Unable to find the admin password for the cluster. Please run 'export initialAdminPassword=<your_password>' 
or create a file $ADMIN_PASSWORD_FILE with a single line that contains the password."

Otherwise the following will be printed in the middle of the script

echo "   ***************************************************"
echo "   ***   ADMIN PASSWORD SET TO: $ADMIN_PASSWORD    ***"
echo "   ***************************************************"

What do we think about these changes going into the 2.x release? Are there any modifications that would make this more palatable? Note, I'm also going to mark this untriaged to make sure it gets discussed during the next triage meeting.

• [1] Demo configuration script requires admin password #3329

[davidlago]

[Triage] Maintainers agree to take the tradeoff of "breaking" new installs that don't provide a default password for the admin user, for the sake of better securing future cluster installs. This does not break current clusters that get upgraded to a newer version, as those would already have created their admin user/password.

That said, we want to make sure that at the very least we fix the docker images we publish alongside our artifacts (and the functional tests) to account for this change. Until those are addressed, the 2.x backport in #3414 should be blocked.

[guldil]

Opensearch admin:admin Debian/Ubuntu Solution:

 # Login ( Can now manage all users from GUI ) 
 http://ip-of-server:5601
 user: admin
 pass: admin
 manage users > management > security > internal users > delete & change passwords

i can't update admin account : {"status":"FORBIDDEN","message":"Resource 'admin' is reserved."}
i can remove all "non reserved" account
i move to this step

(Optional) Opensearch Security Script Method:

Add your chosen password has to the internal users yml.

sudo /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh -p

Update the Internal users yml

sudo vim /etc/opensearch/opensearch-security/internal_users.yml

Dev certs, to generate your own - https://opensearch.org/docs/latest/security/configuration/generate-certificates/

This appears on three lines, except should be one command.

sudo /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -f /etc/opensearch/opensearch-security
/internal_users.yml -t internalusers -icl -nhnv -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/kirk.pem -key
/etc/opensearch/kirk-key.pem

and it's working admin password is changed and demo account are back gain...

at least I was able to change the default password so thank you :)

[stephen-crawford]

Opensearch admin:admin Debian/Ubuntu Solution:

 # Login ( Can now manage all users from GUI ) 
 http://ip-of-server:5601
 user: admin
 pass: admin
 manage users > management > security > internal users > delete & change passwords

i can't update admin account : {"status":"FORBIDDEN","message":"Resource 'admin' is reserved."} i can remove all "non reserved" account i move to this step

(Optional) Opensearch Security Script Method:

Add your chosen password has to the internal users yml.

sudo /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh -p

Update the Internal users yml

sudo vim /etc/opensearch/opensearch-security/internal_users.yml

Dev certs, to generate your own - https://opensearch.org/docs/latest/security/configuration/generate-certificates/

This appears on three lines, except should be one command.

sudo /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -f /etc/opensearch/opensearch-security
/internal_users.yml -t internalusers -icl -nhnv -cacert /etc/opensearch/root-ca.pem -cert /etc/opensearch/kirk.pem -key
/etc/opensearch/kirk-key.pem

and it's working admin password is changed and demo account are back gain...

at least I was able to change the default password so thank you :)

Hey @guldil, I don't think these changes have gone out yet. You should still be able to use the default credentials admin:admin for the time being. We will have to wait for the next release to roll out these changes (some of which are still in progress courtesy of @DarshitChanpura ) :)

[guldil]

@scrawfor99 but i dont want to use default password, i start a VM with OpenSearch on my private cloud and i can't let the VM with default password, i need remote access on it.

For me it's a good solution, i installed OpenSearch 2.11, i change certificates used by default (root-ca / kirk) with my own certificates issued with my "root-ca-new" and i change admin password with my own "admin" (the default kirk). It helped me understand how this part worked.

[stephen-crawford]

Hi @guldil, thanks for the clarification. What you described should work--I was just trying to clarify why the steps on this issue may not be operable quite yet. Everything listed on the documentation website should still work for your use case.

[guldil]

@scrawfor99 yes i found documentation too late https://opensearch.org/docs/latest/install-and-configure/install-opensearch/debian/#configure-tls, eveything is on it.

Maybe documentation installation of Dashboard could be better https://opensearch.org/docs/latest/install-and-configure/install-dashboards/debian/ and https://opensearch.org/docs/latest/install-and-configure/install-dashboards/tls/ when you change Certificates / CA (like the TLS one of OpenSearch Only)

[LinTechSo]

Hi,
any updates ?

[kingnarmer]

I am having same issue . Would be good if this cloud be automated. Ideal situation will be to pass the desired password as input to script or playbook.

[zalseryani]

if you are using helm charts for deploying opensearch, you can update your opensearch helm chart to use internal_users.yml template and add your admin user password there,

for future changes, you can use securityadmin.sh for retrieving the security index data (users, roles, rolesmapping, etc) and put them into a folder and update them and re-uploading them to security index again using securityadmin.sh shell also.

• retrieve security index information

./securityadmin.sh -cd ../../../config/security_backup/ -icl -nhnv \
    -cacert ../../../config/root-ca.pem \
    -cert ../../../config/admin.pem \
    -key ../../../config/admin-key.pem -r

• update admin bycrypt hash and reupload using the same script (please make sure to rename all the files again without the timestamp or date in the files naming)

./securityadmin.sh -cd ../../../config/security_backup/ -icl -nhnv \
    -cacert ../../../config/root-ca.pem \
    -cert ../../../config/admin.pem \
    -key ../../../config/admin-key.pem

• Note: if you are using opensearch security plugin to have plugins.security.ssl.http.enabled: true in order for secuirtyadmin.sh to work properly

Opensearch Version: 2.9.0 -- deployed with helm chart version (opensearch-2.14.0)

References

• Applying changes to configuration files

[stephen-crawford]

Hi @LinTechSo, @guldil, etc. Just an update: This is actively being worked on by @derek-ho and @DarshitChanpura they are making great progress and hoping to get this out in 2.12. That being said, we have to wait for 2.12 at the earliest since this marks a fairly large UX/UI change from the current way of doing things. You are welcome to check out some of their work over on the repo's pull request list.

[peternied]

@DarshitChanpura Could you link this to the meta issue where we are addressing this?

[DarshitChanpura]

The effort replace default admin password with a custom supplied password is being tracked here:

• [META] Admin user should have a custom non-hardcoded password #3622
• [META] Update all instances of admin:admin across different repositories #3624
• [META] Document changes related to default admin credentials #3415

The issues stemmed from this spike: #3560

If you would like to, please follow these issues along to compute the work done as we target to ship this change with the next release.

[DarshitChanpura]

The default credentials for demo admin user have been replaced with a custom password requirement, and this feature has been shipped in 2.12.0. Marking this issue as complete.

Please feel free to re-open if something was missed.