Security

Is there a walk through on how to deploy authentication.conf

stemo76
Explorer

I want to use my deployment server to distribute the authentication.conf file but that leaves an unencrypted password in my deployment-apps folder.

I have been searching through and have found a couple solutions.

1) is to copy the splunk.secret file to each server that will receive the authentication.conf file and copy the hashed authentication file from that server and add it to the deployment-apps folder.

2) Copy the file, and also copy the $SPLUNK_HOME/etc/auth/splunk.secret file, and copy and edit the $SPLUNK_HOME/etc/system/local/server.conf and the $SPLUNK_HOME/etc/passwd files, as these files contain hashes that depend on splunk.secret, and will be invalid with a new splunk.secret. Note that the usual server.conf file has a server specific host name in it, but you could replace that with the line serverName = $HOSTNAME to use the environment variable rather than having it hard-coded.

The problem with solution number 2 is that I can't seem to edit passwd file.

1 Solution

dwaddle
SplunkTrust
SplunkTrust

There really isn't a good way of doing this. If all servers use the same splunk.secret file from birth (that is, you copy the splunk.secret file over before ever starting Splunk for the first time), you can distribute authentication.conf with hashed passwords.

Once Splunk has been started and created files using the value of splunk.secret it is (as you noted with the passwd file) much more difficult to find/fix them all.

In our deployment, we learned this a little too late. Our DS pushes out authentication.conf with LDAP bind credentials in the clear in myapp/local/authentication.conf. This app is pushed with restartSplunkd=true so any change to it forces a restart. Upon restart, each Splunk updates its own local copy and re-hashes using its own splunk.secret. So the password is in the clear all the time on the deployment server, and very briefly on each indexer and search head. Under the circumstances it's not the worst.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

There really isn't a good way of doing this. If all servers use the same splunk.secret file from birth (that is, you copy the splunk.secret file over before ever starting Splunk for the first time), you can distribute authentication.conf with hashed passwords.

Once Splunk has been started and created files using the value of splunk.secret it is (as you noted with the passwd file) much more difficult to find/fix them all.

In our deployment, we learned this a little too late. Our DS pushes out authentication.conf with LDAP bind credentials in the clear in myapp/local/authentication.conf. This app is pushed with restartSplunkd=true so any change to it forces a restart. Upon restart, each Splunk updates its own local copy and re-hashes using its own splunk.secret. So the password is in the clear all the time on the deployment server, and very briefly on each indexer and search head. Under the circumstances it's not the worst.

stemo76
Explorer

Thanks for the confirmation, this is what we were thinking but since a couple people has posted possible solutions I thought there might be a way.

Guess we will just copy the file to each box and run the splunk restart to hash the password. I don't see this changing much so it should be that big of a deal.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...