StarlingX

Service passwords have predictable pattern

Bug #1901228 reported by Ghada Khalil
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Andy

Bug Description

Brief Description
-----------------
The services keystone user passwords have a predictable pattern (eg, a0c4068dfbcaTi0*), which is always lowercase characters and numbers followed by "Ti0*". The passwords should be uniformly random (and with at least one uppercase, one lowercase, one number and one special character)

Severity
--------
Minor

Steps to Reproduce
------------------
- Deploy a system of any config.
- check services passwords (keystone, sysinv, fm, sm-api, ldap, patching etc)

Expected Behavior
------------------
the services passwords shouldn't be in a predictable pattern

Actual Behavior
----------------
- the services passwords in their configuration files has a predictable pattern,
  the following is from /etc/sysinv/sysinv.conf as an example.
[keystone_authtoken]
username=sysinv
user_domain_name=Default
password=c4a19066eb81Ti0*

Reproducibility
---------------
Reproducible

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
stx master

Last Pass
---------
N/A

Timestamp/Logs
--------------
See steps to reproduce.

Test Activity
-------------
Developer Testing

Workaround
----------
N/A

Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
Revision history for this message
Ghada Khalil (gkhalil) wrote :

should be considered for stx.5.0 as it's a security concern

Changed in starlingx:
importance: Undecided → Low
status: New → Triaged
tags: added: stx.5.0 stx.security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/760449

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/760450

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/760449
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=1f859052c6fe52ef9a951e6b5ecc27c74d856b2a
Submitter: Zuul
Branch: master

commit 1f859052c6fe52ef9a951e6b5ecc27c74d856b2a
Author: Andy Ning <email address hidden>
Date: Fri Oct 23 10:25:58 2020 -0400

    Quote password in ldap command

    Quote the password to the "-w" option of the ldap commands in puppet
    for special characters in the password.

    Change-Id: I43275bb2323b8525c5c77fe9a69d386190292223
    Closes-Bug: 1901228
    Signed-off-by: Andy Ning <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Keeping open until all the required changes are merged

Changed in starlingx:
status: Fix Released → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/760450
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=f580bae812bdd4367144a3345a1a47ccd0b16b1a
Submitter: Zuul
Branch: master

commit f580bae812bdd4367144a3345a1a47ccd0b16b1a
Author: Andy Ning <email address hidden>
Date: Fri Oct 23 10:23:06 2020 -0400

    Enhance sysinv plugins to generate more random passwords

    This update enhanced random password generation in sysinv puppet
    plugin base class and helm plugin base class to generate more random
    passwords containing at least one uppercase, one lowercase, one number
    and one of the special characters in [!*_-+=] (the square brackets are
    not included).

    Examples of the more random passwords:
    U*u0Xf!Q5u07!Hri
    JKK+4dU=2EqrpNRz
    QeBZew3s=fTAE7_+
    0g=*koc_n64vTXeR

    Change-Id: Ifbfae96329480c2f726e4a4012e1f27ff56f38ef
    Closes-Bug: 1901228
    Depends-On: https://review.opendev.org/#/c/760449/
    Signed-off-by: Andy Ning <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/762919

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.