[Openstack-security] [Bug 1158328] Re: passwords in config files stored in plaintext
Daniel Berrange
1158328 at bugs.launchpad.net
Tue Sep 16 11:28:19 UTC 2014
With postgresql at least you can configure it with authenticate with
GSSAPI+Kerberos at which point there is no need to use passwords at all.
I'm not sure if MySQL has the same level of GSSAPI integration, but this
is the kind of approach we need to take.
Use of any kind of password auth is the root cause flaw, regardless of
whether Nova has the passwd in a plain text file. So we need to identify
recommendations on how to configure Nova + databases, etc with out use
of passwords at all.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1158328
Title:
passwords in config files stored in plaintext
Status in OpenStack Compute (Nova):
Won't Fix
Bug description:
The credentials for database conenctions and the keystone authtoken
are stored in plaintext within the nova.conf and apipaste config
files.
These values should be encrypted. A scheme similar to /etc/shadow
would be great.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1158328/+subscriptions
More information about the Openstack-security
mailing list