How to secure Passbolt install screen

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hello,
I have a security related question about the Passbolt install screen at example.com/install

I’m working on an ansible playbook to install Passbolt, and I’m wondering how to secure the install screen, after the initial passbolt-repo-setup.ce.sh script runs.

For example, what is preventing someone from accessing and going through the install screen before me, or brute forcing the mysql creds? Or entering their own DB mysql connection URL string and creds, their own mail relay and getting to the passphrase screen before me?

Is there a best practice around this, such as using the Passbolt CLI to pre-fill the required fields in the passbolt.php etc. files in /etc/passbolt? Or to secure the install screen with .htaccess rules? It just seems odd that the install screen is open to the public, especially for a password manager. But I am new to this so looking for some help!

Thank you.

1 Like

Hi @josephcardillo :wave:

You can fully automate passbolt setup and avoid the use of example.com/install.

I did it in full bash in this project: AnatomicJC / passbolt-setup · GitLab

In the gif below, you will see passbolt installation on Ubuntu and first admin link generation:

So you can do it with ansible too :slight_smile:

As an example, here is the bash snippet who let you create the first admin.

configure_first_admin () {
  sudo -EH -u "${WEBUSER}" bash -c "/usr/share/php/passbolt/bin/cake passbolt install --no-admin"
  sudo -EH -u "${WEBUSER}" bash -c "/usr/share/php/passbolt/bin/cake passbolt register_user -u ${PASSBOLT_FIRST_ADMIN_EMAIL} -f ${PASSBOLT_FIRST_ADMIN_USERNAME} -l ${PASSBOLT_FIRST_ADMIN_SURNAME} -r admin"
}

Cheers,

2 Likes

The best option to completely bypass the webinstaller would be mounting a /etc/passbolt/passbolt.php file with your database credentials set (and any other configuration detail you need). This will completely bypass the install screen and you can continue your installation from the command line. You can do this with ansible. If you don’t create such file with ansible you’ll have a time window where the webinstaller is open to anyone. A small time window, though.

Up to your risk appetite.

Question, is there a reason why DB_Passwort is in cleat text and not encrypted with Argon 2? or maybe a different encryption?