Bug #1861
LDAP user password exposed in oned.log
Status: | Closed | Start date: | 04/03/2013 | |
---|---|---|---|---|
Priority: | High | Due date: | ||
Assignee: | Javi Fontan | % Done: | 0% | |
Category: | Drivers - Auth | |||
Target version: | Release 4.0 | |||
Resolution: | fixed | Pull request: | ||
Affected Versions: | OpenNebula 3.8 |
Description
Hi,
This is related to Bug #1860. When authentication fails because of bad group membership attribute (in ldap server), user password is exposed in oned.log. I've noticed passwords are generally masked with "***" but not in this specific case.
Wed Apr 3 10:33:39 2013 [AuM][D]: Message received: LOG I 37 Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate myuser d912d36edf86023349eb0cbf38f4203b8eeecc4c mypassword Wed Apr 3 10:33:39 2013 [AuM][I]: Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate myuser d912d36edf86023349eb0cbf38f4203b8eeecc4c mypassword Wed Apr 3 10:33:39 2013 [AuM][D]: Message received: LOG I 37 Trying server server 1 Wed Apr 3 10:33:39 2013 [AuM][I]: Trying server server 1 Wed Apr 3 10:33:39 2013 [AuM][D]: Message received: LOG I 37 User myuser is not in group groupid=mygroup,ou=groups,o=myorganization,c=be Wed Apr 3 10:33:39 2013 [AuM][I]: User myuser is not in group groupid=mygroup,ou=groups,o=myorganization,c=be Wed Apr 3 10:33:39 2013 [AuM][D]: Message received: LOG I 37 Could not authenticate user myuser Wed Apr 3 10:33:39 2013 [AuM][I]: Could not authenticate user myuser Wed Apr 3 10:33:39 2013 [AuM][D]: Message received: LOG I 37 ExitCode: 255
Regards,
Laurent
Associated revisions
bug #1861: fix password black out when authentication fails
bug #1861: fix password black out when authentication fails
(cherry picked from commit 138181ee3ce70289f4167c9617e88f17456007ba)
History
#1 Updated by Javi Fontan over 8 years ago
- Status changed from New to Assigned
- Assignee set to Javi Fontan
#2 Updated by Javi Fontan about 8 years ago
I am not able to reproduce de problem, I get the asterisks on error:
Tue Apr 9 15:00:06 2013 [AuM][D]: Message received: LOG I 10 Command execution fail: /Users/jfontan/work/one/install/var/remotes/auth/ldap/authenticate ldap ldapuser **** Tue Apr 9 15:00:06 2013 [AuM][I]: Command execution fail: /Users/jfontan/work/one/install/var/remotes/auth/ldap/authenticate ldap ldapuser ****
Are there any non alphanumeric characters in the password?
#3 Updated by Laurent Grawet about 8 years ago
Yes, the problem only shows up for passwords with non alphanumeric characters.
Just try adding a '!' to trigger this.
Laurent
#4 Updated by Laurent Grawet about 8 years ago
Well, in fact this problem is not related with #1860 as I managed to reproduce the problem with the right group membership attribute.
#5 Updated by Javi Fontan about 8 years ago
I am trying to reproduce the bug but I am not able to do so. Can you execute this script in your machine and send me the output? I case both gsub lines have the secret work changed to asterisks, can you change the secret to some password that behaves incorrectly in your setup?:
#!/usr/bin/env ruby puts "==== #{RUBY_VERSION} ====" secret="secret(?!)$!" text="some text and #{secret}" quoted=Regexp.escape(secret) reg_a=/ #{quoted}$/ reg_b=Regexp.new(" #{quoted}$") puts "secret: "+secret.inspect puts "quoted: "+quoted.inspect puts "reg_a: "+reg_a.inspect puts "reg_b: "+reg_b.inspect puts "gsub a: "+text.gsub(reg_a, ' ***') puts "gsub b: "+text.gsub(reg_b, ' ***')
I've tested this in ruby 1.8.7, 1.9.3 and 2.0. Works as expected.
#6 Updated by Laurent Grawet about 8 years ago
Hi,
Ok, here is a very simple (weak) password : azerty!
I'm not able to reproduce the problem with your script.
./secret-test.rb ==== 1.8.7 ==== secret: "azerty!" quoted: "azerty!" reg_a: / azerty!$/ reg_b: / azerty!$/ gsub a: some text and *** gsub b: some text and ***
However, here is what I get when I try to log in from sunstone with an existing user and this password (which is not the correct password associated with the user so the authentication fails).
Notice the escaped '!' only present on output.
Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 339 Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate myuser d e569a0127402de2f1bd6f2a5bb61f2f00626151 azerty\! Wed Apr 10 18:16:25 2013 [AuM][I]: Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate myuser de569a0127402de2f1bd6f2a5bb61 f2f00626151 azerty\! Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 339 Trying server server 1 Wed Apr 10 18:16:25 2013 [AuM][I]: Trying server server 1 Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 339 Bad user/password Wed Apr 10 18:16:25 2013 [AuM][I]: Bad user/password Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 339 Could not authenticate user myuser Wed Apr 10 18:16:25 2013 [AuM][I]: Could not authenticate user myuser Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 339 ExitCode: 255 Wed Apr 10 18:16:25 2013 [AuM][I]: ExitCode: 255 Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: AUTHENTICATE FAILURE 339 - Wed Apr 10 18:16:25 2013 [AuM][E]: Auth Error: Wed Apr 10 18:16:25 2013 [ReM][D]: Req:2672 UID:- UserInfo invoked, -1 Wed Apr 10 18:16:25 2013 [ReM][E]: Req:2672 UID:- UserInfo result FAILURE [UserInfo] User couldn't be authenticated, aborting call. Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 340 ExitCode: 0 Wed Apr 10 18:16:25 2013 [AuM][I]: ExitCode: 0 Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: AUTHENTICATE SUCCESS 340 - Wed Apr 10 18:16:25 2013 [ReM][D]: Req:2800 UID:1 UserPoolInfo invoked Wed Apr 10 18:16:25 2013 [ReM][D]: Req:2800 UID:1 UserPoolInfo result SUCCESS, "<USER_POOL><USER><ID..." Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 341 Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate myuser de569a0127402de2f1bd6f2a5bb61f2f00626151 azerty\! Wed Apr 10 18:16:25 2013 [AuM][I]: Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate myuser de569a0127402de2f1bd6f2a5bb61f2f00626151 azerty\! Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 341 Trying server server 1 Wed Apr 10 18:16:25 2013 [AuM][I]: Trying server server 1 Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 341 Bad user/password Wed Apr 10 18:16:25 2013 [AuM][I]: Bad user/password Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 341 Could not authenticate user myuser Wed Apr 10 18:16:25 2013 [AuM][I]: Could not authenticate user myuser Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: LOG I 341 ExitCode: 255 Wed Apr 10 18:16:25 2013 [AuM][I]: ExitCode: 255 Wed Apr 10 18:16:25 2013 [AuM][D]: Message received: AUTHENTICATE FAILURE 341 - Wed Apr 10 18:16:25 2013 [AuM][E]: Auth Error: Wed Apr 10 18:16:25 2013 [ReM][D]: Req:336 UID:- UserInfo invoked, -1 Wed Apr 10 18:16:25 2013 [ReM][E]: Req:336 UID:- UserInfo result FAILURE [UserInfo] User couldn't be authenticated, aborting call.
#7 Updated by Javi Fontan about 8 years ago
I think I've found the problem. Can you change the file /usr/lib/one/mads/one_auth_mad.rb
line 129, from:
log_method_no_password(request_id, secret))
to:
log_method_no_password(request_id, Shellwords.escape(secret)))
Restart OpenNebula and check if this continues to happen.
Thanks
#8 Updated by Javi Fontan about 8 years ago
- Status changed from Assigned to Closed
- Resolution set to fixed
#9 Updated by Laurent Grawet about 8 years ago
Hi Javi,
Sorry for the delay but for whatever reason, I haven't been notified of the update.
I confirm the issue is gone now.
Thanks a lot.
Have a nice weekend,
Laurent