ssh_key_contents isn't masked when using the ssh power driver
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Fix Released
|
Undecided
|
Derek Higgins |
Bug Description
When getting node details, in most drivers the password/keys are masked to prevent them being displayed to the console and appearing in logs
When using the ssh power driver this isn't the case, on a development environment where virtual nodes are being used, the ssh private keys are logged in various places at various debug levels and when running "ironic node-show <uuid>" e.g.
$ ironic node-show baremetal-0
+------
| Property | Value |
+------
| chassis_uuid | |
| clean_step | {} |
| console_enabled | False |
| created_at | 2016-11-
| driver | pxe_ssh |
| driver_info | {u'ssh_username': u'root', u'deploy_kernel': |
| | u'b6e8a5e6-
| | u'2b280e67-
| | BEGIN RSA PRIVATE KEY----- |
| | .......
| | .......
| | .......
| | ..........Removed for bug report............. |
| | .......
| | .......
| | .......
| | -----END RSA PRIVATE KEY-----', u'ssh_virt_type': |
| | u'virsh', u'ssh_address': u'192.168.XX.XX'} |
| driver_
| extra | {} |
| inspection_
| inspection_
| instance_info | {} |
| instance_uuid | None |
| last_error | None |
| maintenance | False |
| maintenance_reason | None |
| name | baremetal-0 |
| network_interface | |
| power_state | power off |
| properties | {u'memory_mb': u'6144', u'cpu_arch': u'x86_64', u'local_gb': u'41', |
| | u'cpus': u'1', u'capabilities': u'boot_
| provision_state | available |
| provision_
| raid_config | |
| reservation | None |
| resource_class | |
| target_power_state | None |
| target_
| target_raid_config | |
| updated_at | 2016-11-
| uuid | 9a7b89d5-
+------
Flagging this as a security vulnerability as a precaution, but I'd imagine it doesn't need to be kept private as it would only effect development environments and its already reported publicly here
https:/
description: | updated |
I believe the ssh_password key in driver_info for ssh driver would also be subject to this information disclosure and should also be masked.