Bug #1861

LDAP user password exposed in oned.log

Added by Laurent Grawet over 8 years ago. Updated about 8 years ago.

Status:ClosedStart date:04/03/2013
Priority:HighDue date:
Assignee:Javi Fontan% Done:

0%

Category:Drivers - Auth
Target version:Release 4.0
Resolution:fixed Pull request:
Affected Versions:OpenNebula 3.8

Description

Hi,

This is related to Bug #1860. When authentication fails because of bad group membership attribute (in ldap server), user password is exposed in oned.log. I've noticed passwords are generally masked with "***" but not in this specific case.

Wed Apr  3 10:33:39 2013 [AuM][D]: Message received: LOG I 37 Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate myuser d912d36edf86023349eb0cbf38f4203b8eeecc4c mypassword
Wed Apr  3 10:33:39 2013 [AuM][I]: Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate myuser d912d36edf86023349eb0cbf38f4203b8eeecc4c mypassword
Wed Apr  3 10:33:39 2013 [AuM][D]: Message received: LOG I 37 Trying server server 1

Wed Apr  3 10:33:39 2013 [AuM][I]: Trying server server 1
Wed Apr  3 10:33:39 2013 [AuM][D]: Message received: LOG I 37 User myuser is not in group groupid=mygroup,ou=groups,o=myorganization,c=be

Wed Apr  3 10:33:39 2013 [AuM][I]: User myuser is not in group groupid=mygroup,ou=groups,o=myorganization,c=be
Wed Apr  3 10:33:39 2013 [AuM][D]: Message received: LOG I 37 Could not authenticate user myuser

Wed Apr  3 10:33:39 2013 [AuM][I]: Could not authenticate user myuser
Wed Apr  3 10:33:39 2013 [AuM][D]: Message received: LOG I 37 ExitCode: 255

Regards,

Laurent

Associated revisions

Revision 138181ee
Added by Javi Fontan about 8 years ago

bug #1861: fix password black out when authentication fails

Revision 65f116c3
Added by Javi Fontan about 8 years ago

bug #1861: fix password black out when authentication fails

(cherry picked from commit 138181ee3ce70289f4167c9617e88f17456007ba)

History

#1 Updated by Javi Fontan over 8 years ago

  • Status changed from New to Assigned
  • Assignee set to Javi Fontan

#2 Updated by Javi Fontan about 8 years ago

I am not able to reproduce de problem, I get the asterisks on error:

Tue Apr  9 15:00:06 2013 [AuM][D]: Message received: LOG I 10 Command execution fail: /Users/jfontan/work/one/install/var/remotes/auth/ldap/authenticate ldap ldapuser ****

Tue Apr  9 15:00:06 2013 [AuM][I]: Command execution fail: /Users/jfontan/work/one/install/var/remotes/auth/ldap/authenticate ldap ldapuser ****

Are there any non alphanumeric characters in the password?

#3 Updated by Laurent Grawet about 8 years ago

Yes, the problem only shows up for passwords with non alphanumeric characters.
Just try adding a '!' to trigger this.

Laurent

#4 Updated by Laurent Grawet about 8 years ago

Well, in fact this problem is not related with #1860 as I managed to reproduce the problem with the right group membership attribute.

#5 Updated by Javi Fontan about 8 years ago

I am trying to reproduce the bug but I am not able to do so. Can you execute this script in your machine and send me the output? I case both gsub lines have the secret work changed to asterisks, can you change the secret to some password that behaves incorrectly in your setup?:

#!/usr/bin/env ruby

puts "==== #{RUBY_VERSION} ====" 

secret="secret(?!)$!" 
text="some text and #{secret}" 

quoted=Regexp.escape(secret)

reg_a=/ #{quoted}$/
reg_b=Regexp.new(" #{quoted}$")

puts "secret: "+secret.inspect
puts "quoted: "+quoted.inspect
puts "reg_a: "+reg_a.inspect
puts "reg_b: "+reg_b.inspect
puts "gsub a: "+text.gsub(reg_a, ' ***')
puts "gsub b: "+text.gsub(reg_b, ' ***')

I've tested this in ruby 1.8.7, 1.9.3 and 2.0. Works as expected.

#6 Updated by Laurent Grawet about 8 years ago

Hi,

Ok, here is a very simple (weak) password : azerty!
I'm not able to reproduce the problem with your script.

 ./secret-test.rb 
==== 1.8.7 ====
secret: "azerty!" 
quoted: "azerty!" 
reg_a: / azerty!$/
reg_b: / azerty!$/
gsub a: some text and ***
gsub b: some text and ***

However, here is what I get when I try to log in from sunstone with an existing user and this password (which is not the correct password associated with the user so the authentication fails).
Notice the escaped '!' only present on output.

Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 339 Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate myuser d
e569a0127402de2f1bd6f2a5bb61f2f00626151 azerty\!

Wed Apr 10 18:16:25 2013 [AuM][I]: Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate myuser de569a0127402de2f1bd6f2a5bb61
f2f00626151 azerty\!
Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 339 Trying server server 1

Wed Apr 10 18:16:25 2013 [AuM][I]: Trying server server 1
Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 339 Bad user/password

Wed Apr 10 18:16:25 2013 [AuM][I]: Bad user/password
Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 339 Could not authenticate user myuser

Wed Apr 10 18:16:25 2013 [AuM][I]: Could not authenticate user myuser
Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 339 ExitCode: 255

Wed Apr 10 18:16:25 2013 [AuM][I]: ExitCode: 255
Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: AUTHENTICATE FAILURE 339 -

Wed Apr 10 18:16:25 2013 [AuM][E]: Auth Error: 
Wed Apr 10 18:16:25 2013 [ReM][D]: Req:2672 UID:- UserInfo invoked, -1
Wed Apr 10 18:16:25 2013 [ReM][E]: Req:2672 UID:- UserInfo result FAILURE [UserInfo] User couldn't be authenticated, aborting call.
Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 340 ExitCode: 0

Wed Apr 10 18:16:25 2013 [AuM][I]: ExitCode: 0
Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: AUTHENTICATE SUCCESS 340 -

Wed Apr 10 18:16:25 2013 [ReM][D]: Req:2800 UID:1 UserPoolInfo invoked
Wed Apr 10 18:16:25 2013 [ReM][D]: Req:2800 UID:1 UserPoolInfo result SUCCESS, "<USER_POOL><USER><ID..." 
Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 341 Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate myuser de569a0127402de2f1bd6f2a5bb61f2f00626151 azerty\!

Wed Apr 10 18:16:25 2013 [AuM][I]: Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate myuser de569a0127402de2f1bd6f2a5bb61f2f00626151 azerty\!
Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 341 Trying server server 1

Wed Apr 10 18:16:25 2013 [AuM][I]: Trying server server 1
Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 341 Bad user/password

Wed Apr 10 18:16:25 2013 [AuM][I]: Bad user/password
Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 341 Could not authenticate user myuser

Wed Apr 10 18:16:25 2013 [AuM][I]: Could not authenticate user myuser
Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 341 ExitCode: 255

Wed Apr 10 18:16:25 2013 [AuM][I]: ExitCode: 255
Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: AUTHENTICATE FAILURE 341 -

Wed Apr 10 18:16:25 2013 [AuM][E]: Auth Error: 
Wed Apr 10 18:16:25 2013 [ReM][D]: Req:336 UID:- UserInfo invoked, -1
Wed Apr 10 18:16:25 2013 [ReM][E]: Req:336 UID:- UserInfo result FAILURE [UserInfo] User couldn't be authenticated, aborting call.

#7 Updated by Javi Fontan about 8 years ago

I think I've found the problem. Can you change the file /usr/lib/one/mads/one_auth_mad.rb line 129, from:

            log_method_no_password(request_id, secret))

to:

            log_method_no_password(request_id, Shellwords.escape(secret)))

Restart OpenNebula and check if this continues to happen.

Thanks

#8 Updated by Javi Fontan about 8 years ago

  • Status changed from Assigned to Closed
  • Resolution set to fixed

#9 Updated by Laurent Grawet about 8 years ago

Hi Javi,

Sorry for the delay but for whatever reason, I haven't been notified of the update.
I confirm the issue is gone now.

Thanks a lot.
Have a nice weekend,

Laurent

Also available in: Atom PDF