Closed adam0306 closed 3 years ago
This is an amazing idea. I think as a starting place we should implement a ccp
command with a retrieve-account
action like below:
cybr ccp retrieve-account --app-id appIdHere --query "Query=Safe=Billing;Object=MonthlyBilling" --field password
Once we have this command in the cybr-cli
we could easily add a cybr logon-ccp
command that will leverage the ccp for PAS REST API credentials.
Let me know your thoughts and if this aligned with your end goal.
That sounds perfect
I have created another issue to track the cybr ccp
command found here https://github.com/infamousjoeg/cybr-cli/issues/67
Once that issue has been resolved we can work on implementing it as a logon feature.
Thank you for the awesome feature request and for using the cybr-cli
The cybr-cli
now has the cybr ccp
command to easily retrieve a credential from CCP. Now we want to leverage this feature to dynamically retrieve a credential and log into the cybr-cli. Example command should be the following:
cybr ccp logon --safe PAS_REST_API --object name-of-the-object-in-PAS --url https://ccp.company.local
This command will retrieve the account in the PAS_REST_API
safe with the object name of name-of-the-object-in-PAS
and then use this credential to log into the PAS REST API and initialize the ~/.cybr session file.
@adam0306 Is this a desirable work flow?
@adam0306 Is this a desirable work flow?
It better be!
That sounds great. I tested the CCP retrieval without logon via Windows exe this morning. I'll test with logon next. But that works for me.
@infamousjoeg watch out, I may just have to make a trip down to Tampa.
Hi @adam0306 ,
After some internal discussion we are running into some snags regarding this feature. The problem is we do not know the authentication type of the returned object. Also we do not know if the returned object address will be the correct PVWA address because a LDAP platform will have the AD as the address and a Cyberark local account will have the vault hostname as the address. So moving forward we are thinking about adding a --password
flag.
Of course this brings up another concern, we do not want to make it easy for developers to put the --password
field in the command in-turn writing the password to the history of the shell.
So the newly proposed solution goes as the following:
cybr logon -a LDAP -b https://pvwa.company.com -u MyUsername --non-interactive -p "$(cyb ccp get-account -s safeName -o REST-API-ObjectName -f Content)"
I know this command is rather long but it helps us couple of ways.
--non-interactice
if they are using the --password
flagI understand this is a different approach than what you proposed but I think it would help us significantly maintain this product.
Thanks, Andrew
I hadn't even thought about the auth type either. Looking ahead the way that I see us using the CCP is via a script so making it longer is no big deal. I agree protecting users from themselves is always a good thing like not printing creds to history. But at the same time they will also find a way depending on their desire.
At the end of the day, a human user should be using interactive cybr logon
and be prompted securely to enter their password. Automation should use the cybr logon --non-interactive
command and either an environment variable containing the PAS_PASSWORD
value (default) -OR- provide the -p
/--password
flag to provide it through command substitution, as @AndrewCopeland provided in his code example above.
I understand that users will always try to find a way around things. However, I don't want to make it too easy for them to be insecure and lazy.
Completely agree. Just having the ability to retrieve the creds using CCP is a win for me.
Is your feature request related to a problem? Please describe. Feature Request
Describe the solution you'd like Add the ability to retrieve credentials to be used for cybr-cli logon via CCP.