Weak secuirty model in OpenNebula
I consider the current security and especially authentication model used in OpenNebula as weak as:
- All RPC requests are transmitted in plain text.
- Passwords are transmitted in plain text and stored in plain text in OpenNebula (I understand that they are hashed, but as this is done on the client side it only makes the password more complicated, it does not encrypt it. I.e. the password hash is basically a more complicated plain text password based on the original password.
- If external authentication schemes are used, e.g. LDAP, password are not even hashed. This also makes authentication code more complicated as the client needs to decide whether to hash the password based on the authentication scheme used (which it should not need to care about).
I think to fix these issues, OpenNebula needs to:
- Use secure RPC to encrypt all RPC traffic.
- Send passwords un-hashed over the encrypted RPC and have the server take care of hashing when it is needed.
#2 Updated by Carsten Friedrich over 10 years ago
HTTPS proxy can be used to address the first issue, the other two still remain:
- Passwords should not be stored in plain text by OpenNebula. A simple misconfiguration e.g. as happened in http://lists.opennebula.org/pipermail/users-opennebula.org/2011-February/004018.html will expose all passwords and allow any user to act as any other user. Storing plain password is just a bad idea from a security perspective if it can be avoided.
- Clients should not need to know what authentication scheme OpenNebula uses internally to decide whether to hash passwords or not.
#3 Updated by Ruben S. Montero over 10 years ago
That is also address by the auth drivers, you can check for example the SSH module at