[one-users] auth - stop showing clear password on the logs

João Pagaime jpsp at fccn.pt
Fri May 11 13:56:01 PDT 2012 

 HEllo Ruben,

 thanks for the reply

 You're right: configuring  DEBUG_LEVEL to 0 stopped that behavior 
 (showing clear password on the logs)

 a few issues more:

 ---------
 1- one_auth_mad.rb didn't deal well with passwords (secret) with 
 special characters like "$" ou "&". Surrounding the "secret" variable 
 with the (') character seems to fix that. The code line now looks like 
 this:

 command << " '" << user.gsub("'", '\'"\'"\'') << "' '" << 
 password.gsub("'", '\'"\'"\'') << "' '" << secret << "'"

 don't know if there are other points in the code that could use this 
 change

 ---------
 2- In case of a wrong (LDAP) password, Sunstone gives the following 
 error message:
 "OpenNebula is not running or there was a server exception. Please 
 check the server logs."

 This message is a bit confusing for LDAP uses. I suggest another error 
 messagem like:
 "Authenticaton failure: wrong username, password or OpenNebula is not 
 running or there was a server exception".
 Of course a better error messagem would be: ""Authenticaton failure: 
 (real reason)"

 ---------
 3- I would like to set  the DEBUG_LEVEL to 3 again but really don't 
 want passwords going to the logs. Is this possible? Where should I tune 
 the system? one_auth_mad.rb? The "run" shell command method, filtering 
 out the problematic cases? Where can I find the "run" method?

 Cheers,
 João


 On Fri, 11 May 2012 00:05:34 +0200, Ruben S. Montero wrote:
> Hi
>
> You may try to change the "verbosity" of the DEBUG messages in
> oned.conf.  DEBUG_LEVEL=0 will only output ERROR messages (those
> labeled) with [E]. Once you have deployed and tuned the 
> infrastructure
> it may be a good idea to decrease the debug messages to ERROR/WARNING
> level.
>
> Cheers
>
> Ruben
>
> On Thu, May 10, 2012 at 8:50 PM, João Pagaime <jpsp at fccn.pt> wrote:
>> Hello all
>>
>> could somebody show where to change open-nebula for it to stop 
>> showing clear
>> text passords?
>>
>> probably somewhere on the code...
>>
>> it is showing clear text passords for some cases of Sunstone LDAP 
>> auth
>> errors (as shown bellow)
>>
>> --------------
>> Thu May 10 19:20:02 2012 [ReM][D]: UserInfo method invoked
>> Thu May 10 19:20:02 2012 [AuM][D]: Message received: LOG I 2 Command
>> execution f
>> ail: /var/lib/one/remotes/auth/default/authenticate 'USER' '-' 
>> PASSWORD
>>
>> Thu May 10 19:20:02 2012 [AuM][I]: Command execution fail:
>> /var/lib/one/remotes/auth/default/authenticate 'USER' '-' PASSWORD
>> Thu May 10 19:20:02 2012 [AuM][D]: Message received: LOG I 2 User 
>> USER not
>> found
>>
>> Thu May 10 19:20:02 2012 [AuM][I]: User USER not found
>> Thu May 10 19:20:02 2012 [AuM][D]: Message received: LOG I 2 
>> ExitCode: 255
>>
>> Thu May 10 19:20:02 2012 [AuM][I]: ExitCode: 255
>> Thu May 10 19:20:02 2012 [AuM][D]: Message received: AUTHENTICATE 
>> FAILURE 2
>> -
>>
>> Thu May 10 19:20:02 2012 [AuM][E]: Auth Error:
>> Thu May 10 19:20:02 2012 [ReM][E]: [UserInfo] User couldn't be
>> authenticated, aborting call.
>> ----------------------
>>
>> maybe it would be a good ideia to ship the production versions 
>> without this
>> behavior
>>
>> cheers
>> João
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org

-- 
 João Pagaime
 FCCN - Área de Infra-estruturas Aplicacionais
 Av. do Brasil, n.º 101 - Lisboa
 Telef. +351 218440100  Fax +351 218472167
 www.fccn.pt

 Aviso de Confidencialidade/Disclaimer
 Esta mensagem é exclusivamente destinada ao seu destinatário, podendo
 conter informação CONFIDENCIAL, cuja divulgação está expressamente
 vedada nos termos da lei. Caso tenha recepcionado indevidamente esta
 mensagem, solicitamos-lhe que nos comunique esse mesmo facto por esta
 via ou para o telefone +351 218440100 devendo apagar o seu conteúdo de
 imediato. This message is intended exclusively for its addressee. It 
 may
 contain CONFIDENTIAL information protected by law. If this message has
 been received by error, please notify us via e-mail or by telephone 
 +351
 218440100 and delete it immediately.

More information about the Users mailing list