[Openstack-security] [Bug 1158328] Re: passwords in config files stored in plaintext

Adrian Otto 1158328 at bugs.launchpad.net
Tue Mar 4 14:51:55 UTC 2014 

I see Barbican as the right tool for this job. The configuration file
can get the secret identifier, and the secret itself can be stored in
Barbican where it can be centrally fortified, access controlled, access
logged, and could be revoked. The service would use an HTTPS request to
retrieve the secret from its encrypted remote storage in Barbican on an
as-needed basis.

--
Adrian

On Mar 4, 2014, at 2:01 AM, "Daniƫl W. Crompton"
<daniel.crompton at gmail.com<mailto:daniel.crompton at gmail.com>> wrote:


A shadow like password wouldn't be possible as it needs to be reversible. And as it's reversible anybody with access to the file would be able to reverse it with the encryption scheme. Making it security by obscurity.

This could probably best be solved with something like a pkcs7 key
exchange, although this would be a little more work.

D.

On Mar 4, 2014 10:35 AM, "Matt Fischer" <matt at mattfischer.com<mailto:matt at mattfischer.com>> wrote:
I see this bug is old and Wishlisted so it may never get fixed, but I'd
like to add that plaintext passwords are generally a no-no when the
service account auth is managed by Corporate AD or LDAP. It may
complicate some deployments but it would be nice to have a solution to
this.

--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1158328

Title:
  passwords in config files stored in plaintext

Status in OpenStack Compute (Nova):
  Confirmed

Bug description:
  The credentials for database conenctions and the keystone authtoken
  are stored in plaintext within the nova.conf and apipaste config
  files.

  These values should be encrypted.  A scheme similar to /etc/shadow
  would be great.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1158328/+subscriptions

_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org<mailto:Openstack-security at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1158328

Title:
  passwords in config files stored in plaintext

Status in OpenStack Compute (Nova):
  Confirmed

Bug description:
  The credentials for database conenctions and the keystone authtoken
  are stored in plaintext within the nova.conf and apipaste config
  files.

  These values should be encrypted.  A scheme similar to /etc/shadow
  would be great.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1158328/+subscriptions

More information about the Openstack-security mailing list