security problem in EC2
|Assignee:||Daniel Molina||% Done:|
|Target version:||Release 3.4 - Beta|
|Affected Versions:||OpenNebula 3.4|
I just was able to authenticate through EC2 (using ec2 auth method in econe.conf) with the user from LDAP (with driver ldap) with its LDAP DN as a password. I'm almost sure it will work also with the user with x509 driver and its certificate subject as a password.
P.S. Related code in EC2CloudAuth.rb is "one_pass = get_password(username)".
P.S. Workaround is to don't mix users in one setup with different drivers (only core driver users should be used if auth=ec2 is used). Another solution is to use auth=x509 if there are users with different drivers (ldap/x509/ssh).
P.S. OCCICloudAuth.rb looks similar to EC2, but I didn't succeed to authenticate.
P.S. SunstoneCloudAuth.rb looks OK (because of SHA1 digest used).