incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rohit Yadav (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-505) cloudstack logs the private key in plaintext
Date Mon, 17 Dec 2012 21:00:12 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13534297#comment-13534297
] 

Rohit Yadav commented on CLOUDSTACK-505:
----------------------------------------

Much better fix than last one, but we should also strip out ssh keys. The fix should be in
db/response views so we don't serialize an object with sensitive key=value pairs, tricky to
do now maybe. Will look into this after api_refactoring gets merged into master.
                
> cloudstack logs the private key in plaintext
> --------------------------------------------
>
>                 Key: CLOUDSTACK-505
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-505
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: API
>    Affects Versions: 4.0.0
>            Reporter: Ahmad Emneina
>            Assignee: Joe Brockmeier
>            Priority: Blocker
>             Fix For: 4.0.1
>
>
> When creating my sshkeypair, theyre logged in the api-server.log.
> 2012-11-16 04:16:44,387 INFO  [cloud.api.ApiServer] (ApiServer-8:null) (userId=1 accountId=1
sessionId=null) /0:0:0:0:0:0:0:1 -- GET /client/api?command=createSSHKeyPair&name=testkeys2&response=json&domainid=1&zone=2&account=admin
HTTP/1.0 200 
> {
>     "createsshkeypairresponse": {
>         "keypair": {
>             "name": "testkeys2",
>             "fingerprint": "f2:0c:b1:d9:be:73:4f:a9:0a:c0:c8:59:17:e0:67:07",
>             "privatekey": "-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDD8CUiTQL26bhcDDW1kg8QqY2Pzm9EkeNwcTtglZEYkfSV7IHI\nDO7kRvB8ca4uKOpQD+jIpz0+leTQAc2JwLPzIFfTpN/mn+vwMwBviTZjYUDePkw+\nuwe97KB4Xg+RM7m0f4sPUHe9IZPshebl8nFhFpp8bL1g/FcDalJs3GhyPwIDAQAB\nAoGBAL0czVp75f6Wul/tUPF8lZnJbF5+KpqODGz8fQjNkwuZ4+3IJcMF6JTfe0FB\nH5Jh3zWDBXSVJeGAHyY8dzsbiRHRoXb4HRXUfSdMVLAlXDmH+REcE/4OY+Sd+GU2\ncrIsq9E3R2Nhr7lujP6BOO4IEzSrKFQ531lLBolCNZ/YpHThAkEA4/N1BeuB7ihI\nlzfdikjEmg3BfDn+s7FlQz42x4iAOBRBcMeO0e7ma+UWD7LUER3tuADAY3D4C/xs\nAluSbEyHdwJBANwMRK4jsmsGFf5GjH/iyVApZx/U71OR8OJx48NSdWmCzEkMdCE+\nH5Lska7j8mfAfqbOYfYqR4gwOXXHGr8XrXkCQAF9GYqMWzDe+npiVwQMLZyD8nuJ\nNWye//ZMdbcf4RZ8q2C9LOWaFc8mk9pOZKwn8eF9v8PmfPg3Ec2CI5apeUkCQQDK\nEj4TyFY07/7MZc7qNcH26j54PduVW+TgngOxv4xw2xtsTZJrYJgwHSzfdRaK7nug\nBNBy9XqA9wAdRz0plL3JAkEAiyCuxFhz6F2NhMxDX9IczJPPiJ+v6qHGwSThiBv0\n9XgwpQqrFmBdqAZ3SDjsgXkG2gAqZRuddbq55ffGSFtkpg==\n-----END
RSA PRIVATE KEY-----\n"
>         }
>     }
> }

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message