On Mon, 2024-09-02 at 11:44 -0500, [email protected] wrote: > It’s not a good practice to store passwords in plain text, period. > Shiro.ini in particular gets checked into code repositories, and it’s > not a good place for passwords to be. > > Current “good practice” is something called “zero trust” and just > because the system is behind ssh, it doesn’t mean > that a threat actor cannot hack into it some other way, and get the > password. > Plain-text passwords just open up more security threats that you can > possibly think of.
Thank you for your advise, Lenny. I do appreciate and in general you are certainly right. However, for my example we do not talk about real users and passwords but only about the technical accounts talking to the AD or JDBC realm when authenticating or authorising a real user against it. Those technical users have zero rights or capabilities but can only query the realm for "is password valid for user" or "does user have role". So I don't see any possibility to harm in this specific scenario, even when publish those passwords in the internet. Its just audit drones searching for a justification of their mere existence. For us, shiro.ini or any client/user specific setting/configuration is always FAR AWAY from the source in its own linux os user config directory. But that's a story for another day and I am going of topic here. The provided documentation solves my problem and I thank you both. All the best Andreas
