Hi All,
I keep fingers crossed that I am not completely wrong in here.
Situation, I would like to login to my ibmcloud and the cli in front of me looks like all forms of username/password might be recorded by an unknown third party.

/ # ibmcloud help login

EXAMPLE:
ibmcloud login
Omit username and password to login interactively, ibmcloud will prompt for both
ibmcloud login -u name@example.com -p pa55woRD
Specify username and password as arguments
ibmcloud login -u name@example.com -p "my password"
Use quotation marks (") around passwords that have spaces
ibmcloud login -u name@example.com -p "\"password"\"
Use backslash (\) to escape quotation marks if they are used in the password
ibmcloud login --apikey A1B2C_31FWTSxE0zNr-Bvjx0-1kfDEsU7ai7Cg89b7nqp
Use an API key to log in
ibmcloud login --apikey @my_key_file
Use a key file to log in
IBMCLOUD_API_KEY=YOUR_API_KEY_VALUE ibmcloud login
If environment variable 'IBMCLOUD_API_KEY' is set, login with the API key value specified by it
ibmcloud login --sso
Request that ibmcloud provide a URL to obtain a one-time password to log in

What sounds better in this case, go with an apikey that gets deleted after usage or sso?
one-time password means the next guy, who works with the terminal needs to request is own one-time password, right?
It also means that the unknown third party were not able to login with my one-time password as it is not valid anymore, right?

------------------------------
Matthias Jungbauer
------------------------------

Hi Matthias!

Thanks for your post. You absolutely came to the right place. Community, do you your thing!

------------------------------
Krista Summitt
------------------------------

Original Message:
Sent: Fri September 18, 2020 07:19 AM
From: Matthias Jungbauer
Subject: ibmcloud help login

Hi All,
I keep fingers crossed that I am not completely wrong in here.
Situation, I would like to login to my ibmcloud and the cli in front of me looks like all forms of username/password might be recorded by an unknown third party.

/ # ibmcloud help login

EXAMPLE:
ibmcloud login
Omit username and password to login interactively, ibmcloud will prompt for both
ibmcloud login -u name@example.com -p pa55woRD
Specify username and password as arguments
ibmcloud login -u name@example.com -p "my password"
Use quotation marks (") around passwords that have spaces
ibmcloud login -u name@example.com -p "\"password"\"
Use backslash (\) to escape quotation marks if they are used in the password
ibmcloud login --apikey A1B2C_31FWTSxE0zNr-Bvjx0-1kfDEsU7ai7Cg89b7nqp
Use an API key to log in
ibmcloud login --apikey @my_key_file
Use a key file to log in
IBMCLOUD_API_KEY=YOUR_API_KEY_VALUE ibmcloud login
If environment variable 'IBMCLOUD_API_KEY' is set, login with the API key value specified by it
ibmcloud login --sso
Request that ibmcloud provide a URL to obtain a one-time password to log in

What sounds better in this case, go with an apikey that gets deleted after usage or sso?
one-time password means the next guy, who works with the terminal needs to request is own one-time password, right?
It also means that the unknown third party were not able to login with my one-time password as it is not valid anymore, right?

------------------------------
Matthias Jungbauer
------------------------------

Hi Matthias,
thanks for your question!

The ibmcloud CLI requires that you login to your account each time  you start a new session and as you've seen, there are various ways to authenticate, from using a straight password, to using an API Key to using account federation, which provides a one-off password. 

in truth, all of these methods rely on the user keeping their credentials secure and not revealing them to others, including the federated method. With the federated method, the user will need to log into their identity provider (e.g. their employers environment managed by Microsoft Active Directory) to generate a token, so again, if these credentials are revealed, a one-time password for the CLI is easily obtained. 

Of course, where you can, login so that your password / api key is not revealed on screen.   

If you are concerned about unauthorised access to your account, then I would recommend that you use strong (complex) passwords and change them frequently. API keys can be useful here and if you federate, then password rules and rotation are effectively enforced by the organisation providing the federation. 

You can also use auditing tools within the cloud platform to monitor logins and help you track any suspicious activity. 

Another sound practice is to use IAM to restrict access rights and only provide users with the access they need and you may want to consider limiting administrative rights to one or a very select few accounts. 

I hope this helps!

James

------------------------------
James Belton
------------------------------

Original Message:
Sent: Fri September 18, 2020 07:19 AM
From: Matthias Jungbauer
Subject: ibmcloud help login

Hi All,
I keep fingers crossed that I am not completely wrong in here.
Situation, I would like to login to my ibmcloud and the cli in front of me looks like all forms of username/password might be recorded by an unknown third party.

/ # ibmcloud help login

EXAMPLE:
ibmcloud login
Omit username and password to login interactively, ibmcloud will prompt for both
ibmcloud login -u name@example.com -p pa55woRD
Specify username and password as arguments
ibmcloud login -u name@example.com -p "my password"
Use quotation marks (") around passwords that have spaces
ibmcloud login -u name@example.com -p "\"password"\"
Use backslash (\) to escape quotation marks if they are used in the password
ibmcloud login --apikey A1B2C_31FWTSxE0zNr-Bvjx0-1kfDEsU7ai7Cg89b7nqp
Use an API key to log in
ibmcloud login --apikey @my_key_file
Use a key file to log in
IBMCLOUD_API_KEY=YOUR_API_KEY_VALUE ibmcloud login
If environment variable 'IBMCLOUD_API_KEY' is set, login with the API key value specified by it
ibmcloud login --sso
Request that ibmcloud provide a URL to obtain a one-time password to log in

What sounds better in this case, go with an apikey that gets deleted after usage or sso?
one-time password means the next guy, who works with the terminal needs to request is own one-time password, right?
It also means that the unknown third party were not able to login with my one-time password as it is not valid anymore, right?

------------------------------
Matthias Jungbauer
------------------------------

I went for the sso solution:

container-labs$ ibmcloud login --sso
API endpoint: https://cloud.ibm.com
Region: us-south

Get One Time Code from https://identity-1.us-south.iam.cloud.ibm.com/identity/passcode to proceed.
Open the URL in the default browser? [Y/n] > y
One Time Code >

In addition to the documentation that ibmcloud help login outputs, one needs a web browser for getting the one time access token.

------------------------------
Matthias Jungbauer
------------------------------

Original Message:
Sent: Sat September 19, 2020 04:06 AM
From: James Belton
Subject: ibmcloud help login

Hi Matthias,
thanks for your question!

The ibmcloud CLI requires that you login to your account each time  you start a new session and as you've seen, there are various ways to authenticate, from using a straight password, to using an API Key to using account federation, which provides a one-off password. 

in truth, all of these methods rely on the user keeping their credentials secure and not revealing them to others, including the federated method. With the federated method, the user will need to log into their identity provider (e.g. their employers environment managed by Microsoft Active Directory) to generate a token, so again, if these credentials are revealed, a one-time password for the CLI is easily obtained. 

Of course, where you can, login so that your password / api key is not revealed on screen.   

If you are concerned about unauthorised access to your account, then I would recommend that you use strong (complex) passwords and change them frequently. API keys can be useful here and if you federate, then password rules and rotation are effectively enforced by the organisation providing the federation. 

You can also use auditing tools within the cloud platform to monitor logins and help you track any suspicious activity. 

Another sound practice is to use IAM to restrict access rights and only provide users with the access they need and you may want to consider limiting administrative rights to one or a very select few accounts. 

I hope this helps!

James

------------------------------
James Belton

Original Message:
Sent: Fri September 18, 2020 07:19 AM
From: Matthias Jungbauer
Subject: ibmcloud help login

Hi All,
I keep fingers crossed that I am not completely wrong in here.
Situation, I would like to login to my ibmcloud and the cli in front of me looks like all forms of username/password might be recorded by an unknown third party.

/ # ibmcloud help login

EXAMPLE:
ibmcloud login
Omit username and password to login interactively, ibmcloud will prompt for both
ibmcloud login -u name@example.com -p pa55woRD
Specify username and password as arguments
ibmcloud login -u name@example.com -p "my password"
Use quotation marks (") around passwords that have spaces
ibmcloud login -u name@example.com -p "\"password"\"
Use backslash (\) to escape quotation marks if they are used in the password
ibmcloud login --apikey A1B2C_31FWTSxE0zNr-Bvjx0-1kfDEsU7ai7Cg89b7nqp
Use an API key to log in
ibmcloud login --apikey @my_key_file
Use a key file to log in
IBMCLOUD_API_KEY=YOUR_API_KEY_VALUE ibmcloud login
If environment variable 'IBMCLOUD_API_KEY' is set, login with the API key value specified by it
ibmcloud login --sso
Request that ibmcloud provide a URL to obtain a one-time password to log in

What sounds better in this case, go with an apikey that gets deleted after usage or sso?
one-time password means the next guy, who works with the terminal needs to request is own one-time password, right?
It also means that the unknown third party were not able to login with my one-time password as it is not valid anymore, right?

------------------------------
Matthias Jungbauer
------------------------------