passwords leaking on the command line
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
puppet-keystone |
Fix Released
|
Undecided
|
zhongshengping | ||
Pike |
Fix Released
|
Undecided
|
zhongshengping | ||
Queens |
Fix Released
|
Undecided
|
zhongshengping | ||
Rocky |
Fix Released
|
Undecided
|
zhongshengping |
Bug Description
Here:
https:/
puppet-keystone is passing the password through the command line instead of using an env var. As a result, the passwords are leaking in /proc.
As this is an OpenStack deployment on probably not multi-user machine, it's probably only a wishlist bug, but it'd still be nice to use env var instead, with something like this:
export OS_BOOTSTRAP_
export OS_BOOTSTRAP_
export OS_BOOTSTRAP_
The same way, OS_TOKEN can be used, if OpenStack admin credentials (ie: an openrc.sh) are used:
Thanks for considering this.
Changed in puppet-keystone: | |
assignee: | nobody → Tobias Urdin (tobias-urdin) |
Changed in puppet-keystone: | |
assignee: | nobody → Tobias Urdin (tobias-urdin) |
status: | New → In Progress |
Changed in puppet-keystone: | |
assignee: | Tobias Urdin (tobias-urdin) → nobody |
status: | In Progress → Confirmed |
Changed in puppet-keystone: | |
assignee: | nobody → zhongshengping (chdzsp) |
Changed in puppet-keystone: | |
status: | Confirmed → Fix Released |
This is not a security issue because it's highly advised to disable admin auth token after a deployment, like you can do with this class: /github. com/openstack/ puppet- keystone/ blob/master/ manifests/ disable_ admin_token_ auth.pp
https:/
All production deployments should run this class so the admin auth token can't be used anymore after an initial deployment.