Domino on Linux server.id with password
Daniel Nashed – 25 March 2024 21:34:01
This idea is in my head for a while and I wrote my own "nshvault" application to protect secrets of all kinds.
For now it is my private project for my own environment, but it might be an official project at some point.
I can feed data into different applications like AWS client, SSH agents and unwrap secrets to be consumed over a FIFO (for example for NGINX).
The data is encrypted on rest and can be wrapped into expiring temporary secrets, which access tokens can be passed via environment variables (similar to what an SSH agent does).
In that context I also thought about Domino and built something separate, which would also work nicely with the nshvault idea.
Domino server.id password support
For Domino on Windows there is already Notes Shared Login (NSL).
But for Domino on Linux there is no native solution available.
So I wrote a small extension manager, which can feed the password from an external credential helper.
The credential helper could be anything like my nshvault or any other secure application.
You could even get passwords from remote machine in your own network, to protect against running machines or copies of your machine somewhere else.
Here is the idea
Invoking another process with stdin, stdout and stderr connected to get the password from the external program.
The external program can have the SUID permission set and run with a "vault" user.
For now only stout is actively used. But this could be extended to pass some security token or other additional information from the Domino server to the credential helper.
A password file could be encrypted and only readable by this helper program. But already writing it to a file, which only the vault user can read, would be sufficient protection in most environments.
This helper application can also check who is calling it by checking the PPID and the calling binary via /proc/pid/exe.
Only white listed binaries will receive the password.
I wrote a first version over the weekend and I am not yet sure if I want to make it available for free. Or even open source it.
Mid term a simple credential helper call-out would be great to have in standard Domino.
What do you think about this credential helper approach?
-- Daniel
- Comments [5]