[Openstack-security] Credentials in clear text

Adam Lawson alawson at aqorn.com
Mon Apr 21 23:47:31 UTC 2014 

Preventing access to passwords for the purpose of preventing unauthorized
access to data as another way I look at it.


*Adam Lawson*
AQORN, Inc.
427 North Tatnall Street
Ste. 58461
Wilmington, Delaware 19801-2230
Toll-free: (844) 4-AQORN-NOW
Direct: +1 (302) 268-6914



On Mon, Apr 21, 2014 at 4:46 PM, Adam Lawson <alawson at aqorn.com> wrote:

> My initial concern is specific to Swift and gaining global access to all
> data by virtue of having access to a single proxy node. It seems more than
> access to system resources but a flaw in how data is controlled (and
> passwords are controlled).
>
>
> *Adam Lawson*
> AQORN, Inc.
> 427 North Tatnall Street
> Ste. 58461
> Wilmington, Delaware 19801-2230
> Toll-free: (844) 4-AQORN-NOW
> Direct: +1 (302) 268-6914
>
>
>
> On Mon, Apr 21, 2014 at 4:41 PM, Bryan D. Payne <bdpayne at acm.org> wrote:
>
>> This would be a nice hardening step, but if you have sudo on the box
>> there's a lot of things you can do see.  This is just the tip of the
>> iceberg.  For example, access to the backend db?  Access to traffic on the
>> network / unix sockets / etc?  Access to logs.
>>
>> I am not aware of any current efforts to mask this information from the
>> config files.  But that doesn't mean it's not happening.  If someone is
>> aware of such an effort, I'd certainly be interested in learning more about
>> it.
>>
>> Cheers,
>> -bryan
>>
>>
>>
>>
>> On Mon, Apr 21, 2014 at 4:26 PM, Adam Lawson <alawson at aqorn.com> wrote:
>>
>>> Have .conf files containing credentials and tokens been addressed or
>>> being addressed? Seems there are a lot of keys to the kingdom clearly
>>> visible to staff who have access to systems for day-to-day admin work but
>>> don't/shouldn't be able to view them. If they have sudo access, they have
>>> everything they need to get where they don't belong. Really strikes me as
>>> an obvious audit issue...
>>>
>>>
>>> *Adam Lawson*
>>> AQORN, Inc.
>>> 427 North Tatnall Street
>>> Ste. 58461
>>> Wilmington, Delaware 19801-2230
>>> Toll-free: (844) 4-AQORN-NOW
>>> Direct: +1 (302) 268-6914
>>>
>>>
>>> _______________________________________________
>>> Openstack-security mailing list
>>> Openstack-security at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140421/0b102d64/attachment.html>

More information about the Openstack-security mailing list