Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed


Domino on Linux with password

Daniel Nashed  25 March 2024 21:34:01

This idea is in my head for a while and I wrote my own "nshvault" application to protect secrets of all kinds.
For now it is my private project for my own environment, but it might be an official project at some point.

I can feed data into different applications like AWS client, SSH agents and unwrap secrets to be consumed over a FIFO (for example for NGINX).
The data is encrypted on rest and can be wrapped into expiring temporary secrets, which access tokens can be passed via environment variables (similar to what an SSH agent does).

In that context I also thought about Domino and built something separate, which would also work nicely with the nshvault idea.

Domino password support

For Domino on Windows there is already Notes Shared Login (NSL).
But for Domino on Linux there is no native solution available.

So I wrote a small extension manager, which can feed the password from an external credential helper.
The credential helper could be anything like my nshvault or any other secure application.
You could even get passwords from remote machine in your own network, to protect against running machines or copies of your machine somewhere else.

Here is the idea

Invoking another process with stdin, stdout and stderr connected to  get the password from the external program.
The external program can have the SUID permission set and run with a "vault" user.

For now only stout is actively used. But this could be extended to pass some security token or other additional information from the Domino server to the credential helper.

A password file could be encrypted and only readable by this helper program. But already writing it to a file, which only the vault user can read, would be sufficient protection in most environments.
This helper application can also check who is calling it by checking the PPID and the calling binary via /proc/pid/exe.
Only white listed binaries will receive the password.

I wrote a first version over the weekend and I am not yet sure if I want to make it available for free. Or even open source it.

Mid term a simple credential helper call-out would be great to have in standard Domino.

What do you think about this credential helper approach?

-- Daniel


1Bob Balaban  26.03.2024 7:46:05  Domino on Linux with password

Architecturally, it makes a lot of sense. For years (decades!) people have been "extending" Domino via hooked events (extmgr) to store data of all kinds in "foreign" systems. Two fairly obvious examples: Documentum to store data docs, DAOS to store de-duped attachments.

Using the technique for secure data adds a couple of requirements, as you know. My suggestion is to think about how resilient your implementation is to things like spoofed processes (is this request really coming from a process that i trust?), and defining the requirements a trusted/whitelisted process must implement to stay secure.

It's really very similar to things a service like IDVault must support for cooperating systems over a network, but where all the players are running on the same machine.

2Christian Henseler  26.03.2024 8:32:57  Domino on Linux with password

Hi Daniel,

Great idead, did you look into CyberArk as credential helper app?

Of cause not the frist choice, but used in enterprise environments.

Best Regards


3thorsten ebers  27.03.2024 19:04:10  Domino on Linux with password

I remember that you told me something like that over 20 years ago. that you had an add-on doing something like that or was it just the idea ?

4Daniel Nashed  28.03.2024 15:37:15  Domino on Linux with password

Hi Thorsten,

I always had a simple extension manager to supply password.

It took some information from the machine and used it to generate a random password.

That password was then used as the password.

It took into account mac address and some other components.

In today's virtualized world, there are not many constants you can use. This includes containers...

The exentsion manager could stays very similar, but now asks for an external password.

So I am removing the logic to generate a password form the extension manager and adding it to an external credential helper.

Even the machine-id might not be a safe bet and it could be also used when you launch the machine in a different infrastructure.

Separating the two parts allows any kind of credential helper.

If we would have a closed binary without source code I could add some functionality to use a kind of seed from the Domino side -- like the license ID of the among with some other info.

That way we could still bind the ID to the machine without a direct password.

This only works for binary code, not for software potentially open sources.

Still you could add your own special seed if we open source ist. But then maybe it is easier to provide your own credential helper application and leave the extension manager unmodified.

-- Daniel

5thorsten ebers  29.03.2024 16:26:31  Domino on Linux with password

Daniel, happy eastern, well I suggest going open source :-). it is trendy as well , thinking about hcl went open source with templates :-)

-- Thorsten



    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]