Creating a keypair via Nova logs the private key if DEBUG is enabled

Bug #1770683 reported by Matthew Booth on 2018-05-11
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
oslo.utils
High
Matthew Booth

Bug Description

Originally reported publicly via RH Bugzilla here: https://bugzilla.redhat.com/show_bug.cgi?id=1575945

Consequently should probably not be embargoed.

From bugzilla, when creating a keypair, Nova logs:

2018-05-08 09:49:13.198 742250 DEBUG novaclient.v2.client [req-12f8d12d-c94f-4d05-afd1-95dd16824dfd - crf - - -] RESP: [200] Content-Length: 2324 Content-Type: applica
tion/json Openstack-Api-Version: compute 2.1 X-Openstack-Nova-Api-Version: 2.1 Vary: OpenStack-API-Version, X-OpenStack-Nova-API-Version X-Compute-Request-Id: req-947a
b50d-b915-4396-803e-55bf66a5f1e0 Date: Tue, 08 May 2018 06:49:13 GMT
RESP BODY: {"keypair": {"public_key": "ssh-rsa ... Generated-by-Nova", "private_key": "-----BEGIN RSA PRIVATE KEY-----\n ...

This log is directly generated by keystone's Session._http_log_response, which sanitizes its output with strutils.mask_password. I believe we should add 'private_key' to the data masked by mask_password, and inform operators who have DEBUG enabled that these keys may be present in their logs.

Matthew Booth (mbooth-9) wrote :

I believe the fix is as simple as:

diff --git a/oslo_utils/strutils.py b/oslo_utils/strutils.py
index 929b34d..c7d0f55 100644
--- a/oslo_utils/strutils.py
+++ b/oslo_utils/strutils.py
@@ -58,7 +58,7 @@ SLUGIFY_HYPHENATE_RE = re.compile(r"[-\s]+")
 _SANITIZE_KEYS = ['adminPass', 'admin_pass', 'password', 'admin_password',
                   'auth_token', 'new_pass', 'auth_password', 'secret_uuid',
                   'secret', 'sys_pswd', 'token', 'configdrive',
- 'CHAPPASSWORD', 'encrypted_key']
+ 'CHAPPASSWORD', 'encrypted_key', 'private_key']

It doesn't even appear that more tests are required, as this list is already adequately tested.

information type: Private Security → Public Security

Fix proposed to branch: master
Review: https://review.openstack.org/567887

Changed in oslo.utils:
assignee: nobody → Matthew Booth (mbooth-9)
status: New → In Progress
Ben Nemec (bnemec) on 2018-05-11
Changed in oslo.utils:
importance: Undecided → High

Reviewed: https://review.openstack.org/567887
Committed: https://git.openstack.org/cgit/openstack/oslo.utils/commit/?id=0fb1b0aabe100bb36d0e4ad6d5a9f96dd8eb6ff6
Submitter: Zuul
Branch: master

commit 0fb1b0aabe100bb36d0e4ad6d5a9f96dd8eb6ff6
Author: Matthew Booth <email address hidden>
Date: Fri May 11 17:13:58 2018 +0100

    Add private_key to the list of sanitized keys

    Nova's create keypair operation will currently log the generated
    keypair if debug logs are enabled.

    Closes-Bug: #1770683
    Change-Id: I7f889f0bf254fad43b1e26d32fa145f88c668b39

Changed in oslo.utils:
status: In Progress → Fix Released

This issue was fixed in the openstack/oslo.utils 3.36.2 release.

Reviewed: https://review.openstack.org/568555
Committed: https://git.openstack.org/cgit/openstack/oslo.utils/commit/?id=8cce3af2c29753d1d1794083a468c7b07b78473c
Submitter: Zuul
Branch: stable/queens

commit 8cce3af2c29753d1d1794083a468c7b07b78473c
Author: Matthew Booth <email address hidden>
Date: Fri May 11 17:13:58 2018 +0100

    Add private_key to the list of sanitized keys

    Nova's create keypair operation will currently log the generated
    keypair if debug logs are enabled.

    (cherry picked from commit 0fb1b0aabe100bb36d0e4ad6d5a9f96dd8eb6ff6)

    Closes-Bug: #1770683
    Change-Id: I7f889f0bf254fad43b1e26d32fa145f88c668b39

tags: added: in-stable-queens
tags: added: in-stable-ocata

Reviewed: https://review.openstack.org/568557
Committed: https://git.openstack.org/cgit/openstack/oslo.utils/commit/?id=edf2e78cc809aeff7dc4fb4b87df2a4c1ebde753
Submitter: Zuul
Branch: stable/ocata

commit edf2e78cc809aeff7dc4fb4b87df2a4c1ebde753
Author: Matthew Booth <email address hidden>
Date: Fri May 11 17:13:58 2018 +0100

    Add private_key to the list of sanitized keys

    Nova's create keypair operation will currently log the generated
    keypair if debug logs are enabled.

    (cherry picked from commit 0fb1b0aabe100bb36d0e4ad6d5a9f96dd8eb6ff6)

    Closes-Bug: #1770683
    Change-Id: I7f889f0bf254fad43b1e26d32fa145f88c668b39

tags: added: in-stable-pike

Reviewed: https://review.openstack.org/568558
Committed: https://git.openstack.org/cgit/openstack/oslo.utils/commit/?id=2c8452a42ef58e0352883512d1ecf724ae1dcdd5
Submitter: Zuul
Branch: stable/pike

commit 2c8452a42ef58e0352883512d1ecf724ae1dcdd5
Author: Matthew Booth <email address hidden>
Date: Fri May 11 17:13:58 2018 +0100

    Add private_key to the list of sanitized keys

    Nova's create keypair operation will currently log the generated
    keypair if debug logs are enabled.

    (cherry picked from commit 0fb1b0aabe100bb36d0e4ad6d5a9f96dd8eb6ff6)

    Closes-Bug: #1770683
    Change-Id: I7f889f0bf254fad43b1e26d32fa145f88c668b39

This issue was fixed in the openstack/oslo.utils 3.22.3 release.

This issue was fixed in the openstack/oslo.utils 3.28.3 release.

This issue was fixed in the openstack/oslo.utils 3.35.1 release.

> This log is directly generated by keystone's Session._http_log_response,

Right:
https://github.com/openstack/keystoneauth/blob/ebe781a3ea0386d6ff088a84e8dde26e538b856d/keystoneauth1/session.py#L450-L511

> ... which sanitizes its output with strutils.mask_password.

keystoneauth1/session.py of keystoneauth doesn't use strutils.mask_password(). mask_password() is not called in keystoneauth.

> I believe we should add 'private_key' to the data masked by mask_password, and inform operators who have DEBUG enabled that these keys may be present in their logs.

This part is done and works as expected, but the issue should be reopened since Heat (for example) stills logs private keys when configured to log at the DEBUG level.

Does someone know how to reassign this issue to the keystoneauth project?

Or at least, if we choose to consider that it's not a security issue, the bug status should be changed from "Fix Released" to something else.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers