[Openstack-security] [Bug 1158328] Re: passwords in config files stored in plaintext
Jeremy Stanley
fungi at yuggoth.org
Tue Sep 16 13:54:03 UTC 2014
Agreed. Obfuscation or symmetric encryption of passwords does not
actually solve anything either, and is ultimately no better than plain
text under most circumstances. The actual solution to the issues raised
here is to not use passwords at all. Hopefully "enterprise" auditors
will encourage systems which don't use passwords rather than bandages
over something we've agreed for decades is bad practice.
As for MySQL, 5.5.7 and later support pluggable authentication backends:
http://dev.mysql.com/doc/refman/5.5/en/pluggable-authentication.html
Perhaps this is something worth documenting in an upcoming revision of
the security guide?
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1158328
Title:
passwords in config files stored in plaintext
Status in OpenStack Compute (Nova):
Won't Fix
Bug description:
The credentials for database conenctions and the keystone authtoken
are stored in plaintext within the nova.conf and apipaste config
files.
These values should be encrypted. A scheme similar to /etc/shadow
would be great.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1158328/+subscriptions
More information about the Openstack-security
mailing list