18 December 2017 Engineering

Default Password Removal in Elasticsearch and X-Pack 6.0

By Jay Modi

The Elasticsearch team takes pride in making software that is easy to get started with, which allows developers to make progress on their projects at a faster pace. The team wanted the same experience for X-Pack security features and out of this desire, the addition of built-in user accounts was born. X-Pack ships with a built in administrator account and accounts for Kibana and Logstash system users. In 5.x, these accounts have a default password of ‘changeme', which was chosen with the hopes that users would heed the advice embedded in the password and, well, change the password.

Hope is not good enough when it comes to securing applications; relying on hope means we assume our users know about these accounts and the default password and also know why these need to be changed. As a company, relying on hope is like rolling the dice for becoming the next major piece of software featured in the news cycle as the culprit responsible for a bad data leak. In order to provide better security, we made for 6.0 that removed the default password altogether. The removal of the default password has the effect of adding a single step to the getting started process for Elasticsearch and we felt that this tradeoff was the right one to make when it came to shipping software that is secure. Getting this process down to a single step was not easy; there were a lot of ideas and a lot of back-and-forth discussions on how we accomplish this.

The solution makes use of an auto-generated seed value on each node. This seed value serves as the initial password for the elastic user. The seed value alone could have been a fine solution but it has its own issues; the most important being that we have a different password for the elastic user on each node. In terms of usability, the seed value as the elastic password would complicate the getting started experience as it would require additional manual steps to configure passwords for other users such as the `kibana` user. More work was needed to make getting started a nice experience.

Moving beyond the seed value, a new tool, ‘setup-passwords’, has been added to make the initial password setting as easy as possible. The tool has both an interactive mode where the user can provide their own passwords and an automated mode that sets the passwords to a random value, which is then sent to standard out. Let’s take a look at how easy it is to get started with X-Pack:

$ bin/elasticsearch-plugin install x-pack
-> Downloading x-pack from elastic
[=================================================] 100%   
@     WARNING: plugin requires additional permissions     @
* java.io.FilePermission \\.\pipe\* read,write
* java.lang.RuntimePermission accessClassInPackage.com.sun.activation.registries
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission setContextClassLoader
* java.lang.RuntimePermission setFactory
* java.net.SocketPermission * connect,accept,resolve
* java.security.SecurityPermission createPolicy.JavaPolicy
* java.security.SecurityPermission getPolicy
* java.security.SecurityPermission putProviderProperty.BC
* java.security.SecurityPermission setPolicy
* java.util.PropertyPermission * read,write
* java.util.PropertyPermission sun.nio.ch.bugLevel write
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.

Continue with installation? [y/N]y
@        WARNING: plugin forks a native controller        @
This plugin launches a native controller that is not subject to the Java
security manager nor to system call filters.

Continue with installation? [y/N]y
Elasticsearch keystore is required by plugin [x-pack], creating...
-> Installed x-pack

$ bin/elasticsearch

# In a new terminal after elasticsearch has started
$ bin/x-pack/setup-passwords interactive
Initiating the setup of reserved user elastic,kibana,logstash_system passwords.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y

Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [kibana]: 
Reenter password for [kibana]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [elastic]

That’s it! The passwords have been set and you can explore adding in other components of the Elastic Stack.