cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nitin Mehta (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-505) cloudstack logs the private key in plaintext
Date Mon, 17 Dec 2012 21:48:13 GMT


Nitin Mehta commented on CLOUDSTACK-505:

Chip - Thanks for the corrective action. But isn't string search an expensive operation and
that too we are doing it for every async job which gets called very often 
(for every async call to figure out the status of the async job). This would hurt the performance.
If at all, we go down this path we should have pre compiled the regex for password as well
which is more optimal. Can you please do that ?

Another way is to log the api server logs in debug and ship the product with log4j configuration
for this logger set to info. We leave the onus to admin to turn the log4j config to debug
to start seeing the logs and understand the security impediments.
> cloudstack logs the private key in plaintext
> --------------------------------------------
>                 Key: CLOUDSTACK-505
>                 URL:
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: API
>    Affects Versions: 4.0.0
>            Reporter: Ahmad Emneina
>            Assignee: Joe Brockmeier
>            Priority: Blocker
>             Fix For: 4.0.1
> When creating my sshkeypair, theyre logged in the api-server.log.
> 2012-11-16 04:16:44,387 INFO  [cloud.api.ApiServer] (ApiServer-8:null) (userId=1 accountId=1
sessionId=null) /0:0:0:0:0:0:0:1 -- GET /client/api?command=createSSHKeyPair&name=testkeys2&response=json&domainid=1&zone=2&account=admin
HTTP/1.0 200 
> {
>     "createsshkeypairresponse": {
>         "keypair": {
>             "name": "testkeys2",
>             "fingerprint": "f2:0c:b1:d9:be:73:4f:a9:0a:c0:c8:59:17:e0:67:07",
>             "privatekey": "-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDD8CUiTQL26bhcDDW1kg8QqY2Pzm9EkeNwcTtglZEYkfSV7IHI\nDO7kRvB8ca4uKOpQD+jIpz0+leTQAc2JwLPzIFfTpN/mn+vwMwBviTZjYUDePkw+\nuwe97KB4Xg+RM7m0f4sPUHe9IZPshebl8nFhFpp8bL1g/FcDalJs3GhyPwIDAQAB\nAoGBAL0czVp75f6Wul/tUPF8lZnJbF5+KpqODGz8fQjNkwuZ4+3IJcMF6JTfe0FB\nH5Jh3zWDBXSVJeGAHyY8dzsbiRHRoXb4HRXUfSdMVLAlXDmH+REcE/4OY+Sd+GU2\ncrIsq9E3R2Nhr7lujP6BOO4IEzSrKFQ531lLBolCNZ/YpHThAkEA4/N1BeuB7ihI\nlzfdikjEmg3BfDn+s7FlQz42x4iAOBRBcMeO0e7ma+UWD7LUER3tuADAY3D4C/xs\nAluSbEyHdwJBANwMRK4jsmsGFf5GjH/iyVApZx/U71OR8OJx48NSdWmCzEkMdCE+\nH5Lska7j8mfAfqbOYfYqR4gwOXXHGr8XrXkCQAF9GYqMWzDe+npiVwQMLZyD8nuJ\nNWye//ZMdbcf4RZ8q2C9LOWaFc8mk9pOZKwn8eF9v8PmfPg3Ec2CI5apeUkCQQDK\nEj4TyFY07/7MZc7qNcH26j54PduVW+TgngOxv4xw2xtsTZJrYJgwHSzfdRaK7nug\nBNBy9XqA9wAdRz0plL3JAkEAiyCuxFhz6F2NhMxDX9IczJPPiJ+v6qHGwSThiBv0\n9XgwpQqrFmBdqAZ3SDjsgXkG2gAqZRuddbq55ffGSFtkpg==\n-----END
>         }
>     }
> }

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message