This repository has been archived by the owner on Sep 9, 2024. It is now read-only.
Having the CLI storing Credentials for the session of the user instead of forever #425
Labels
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Is your feature request related to a problem? Please describe.
Today, after connecting, the CLI will store the credentials on any Keystore available or in a .netrc file forever.
Describe the solution you would like
It would be great if instead at the end of the user session the CLI automatically log out.
That would improve the CLI security and ensure that if someone manage to steal the account, he will not be able to escalate via the CLI still connect to Conjur.
The Python Conjur CLI rely on this library for the management of the credentials on the windows side.
By default creating windows credentials with this library will Persist the credential on Enterprise mode. Which mean that the credentials will persist forever on the machine.
However this is something that can be custom. And instead of using the Enterprise mode a Session mode could be use .It would link the life of those credentials with the user session, and make sure that when the user log out, the credentials are removed and automatically the CLI would be logout.
It would be nice if this could become an native option at the login using this for example
conjur login --persist sessionDescribe alternatives you have considered
As a workaround setting this environment variable
($env:KEYRING_PROPERTY_PERSIST='session')allow to force this behavior. And already make the CLI work that way.The text was updated successfully, but these errors were encountered: