<p dir="ltr">We do this today with X509 certificates using the external auth plugin for Keystone. Services and users auth directly with X509 certificates to get tokens.</p>
<p dir="ltr">Nate</p>
<div class="gmail_quote">On Apr 23, 2014 12:23 AM, "Adam Young" <<a href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>On 04/22/2014 11:29 AM, Clark, Robert
Graham wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">As
Bryan mentioned already, a user with access to production
systems, particularly one with sudo/root access – is in an
incredibly privileged position. On its own this is an
auditing issue but it’s a recognised one. In most
deployments subject to auditing (i.e. production) it’s
likely that compensating controls such as gated access, user
logging, MAC etc. are all in place to control the risk.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">It’s
a messy problem to deal with. I’ve seen approaches where the
process and configuration file are both owned by an elevated
user, once the process has loaded the configuration file it
drops privs and can no longer read the file, this can be
useful as a mechanism for avoiding directory traversal in
web services etc I’m not sure how viable an approach this
would be with something like Swift.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">-Rob</span></p>
</div>
</blockquote>
<br>
I'd like to see a concerted effort to allowing all servcie to get
keystone tokens with either Kerberos (keytabs) or X509 Client
certificates.<br>
<br>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" lang="EN-US">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" lang="EN-US"> Bryan D. Payne [<a href="mailto:bdpayne@acm.org" target="_blank">mailto:bdpayne@acm.org</a>]
<br>
<b>Sent:</b> 22 April 2014 01:16<br>
<b>To:</b> Adam Lawson<br>
<b>Cc:</b> <a href="mailto:openstack-security@lists.openstack.org" target="_blank">openstack-security@lists.openstack.org</a><br>
<b>Subject:</b> Re: [Openstack-security] Credentials
in clear text<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">This is fair. I'm not personally
familiar with Swift, so I will let others chime in on
that.<u></u><u></u></p>
<div>
<p class="MsoNormal">-bryan<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Mon, Apr 21, 2014 at 4:47 PM, Adam
Lawson <<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>>
wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Preventing access to passwords
for the purpose of preventing unauthorized access to
data as another way I look at it.<u></u><u></u></p>
</div>
<div>
<div>
<p class="MsoNormal"><br clear="all">
<u></u><u></u></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><i><span style="font-family:"Arial","sans-serif""><br>
Adam Lawson</span></i></b><span style="font-family:"Arial","sans-serif""><u></u><u></u></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall Street<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware 19801-2230<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844) 4-AQORN-NOW<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><span style="font-family:"Arial","sans-serif";color:#666666"><u></u><u></u></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""><img src="http://www.aqorn.com/images/logo.png" alt="http://www.aqorn.com/images/logo.png" height="49" border="0" width="120"></span><span style="font-family:"Arial","sans-serif""><u></u><u></u></span></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On Mon, Apr 21, 2014 at
4:46 PM, Adam Lawson <<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>>
wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">My initial concern is
specific to Swift and gaining global
access to all data by virtue of having
access to a single proxy node. It seems
more than access to system resources but a
flaw in how data is controlled (and
passwords are controlled).<u></u><u></u></p>
</div>
<div>
<div>
<p class="MsoNormal"><br clear="all">
<u></u><u></u></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><i><span style="font-family:"Arial","sans-serif""><br>
Adam Lawson</span></i></b><span style="font-family:"Arial","sans-serif""><u></u><u></u></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall Street<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware 19801-2230<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844) 4-AQORN-NOW<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><span style="font-family:"Arial","sans-serif";color:#666666"><u></u><u></u></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif""><img src="http://www.aqorn.com/images/logo.png" alt="http://www.aqorn.com/images/logo.png" height="49" border="0" width="120"></span><span style="font-family:"Arial","sans-serif""><u></u><u></u></span></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On Mon, Apr 21,
2014 at 4:41 PM, Bryan D. Payne <<a href="mailto:bdpayne@acm.org" target="_blank">bdpayne@acm.org</a>>
wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">This would be
a nice hardening step, but if
you have sudo on the box there's
a lot of things you can do see.
This is just the tip of the
iceberg. For example, access to
the backend db? Access to
traffic on the network / unix
sockets / etc? Access to logs.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I am not
aware of any current efforts
to mask this information from
the config files. But that
doesn't mean it's not
happening. If someone is
aware of such an effort, I'd
certainly be interested in
learning more about it.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Cheers,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">-bryan<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
<div>
<div>
<div>
<p class="MsoNormal">On Mon,
Apr 21, 2014 at 4:26 PM,
Adam Lawson <<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>>
wrote:<u></u><u></u></p>
</div>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">Have
.conf files containing
credentials and tokens
been addressed or
being addressed? Seems
there are a lot of
keys to the kingdom
clearly visible to
staff who have access
to systems for
day-to-day admin work
but don't/shouldn't be
able to view them. If
they have sudo access,
they have everything
they need to get where
they don't belong.
Really strikes me as
an obvious audit
issue...<span style="color:#888888"><u></u><u></u></span></p>
<div>
<div>
<p class="MsoNormal"><span style="color:#888888"><br clear="all">
<u></u><u></u></span></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><i><span style="font-family:"Arial","sans-serif";color:#888888"><br>
Adam Lawson</span></i></b><span style="font-family:"Arial","sans-serif";color:#888888"><u></u><u></u></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall
Street<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware
19801-2230<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844)
4-AQORN-NOW<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><span style="font-family:"Arial","sans-serif";color:#666666"><u></u><u></u></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#888888"><img src="http://www.aqorn.com/images/logo.png" alt="http://www.aqorn.com/images/logo.png" height="49" border="0" width="120"></span><span style="font-family:"Arial","sans-serif";color:#888888"><u></u><u></u></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">_______________________________________________<br>
Openstack-security mailing
list<br>
<a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Openstack-security mailing list
<a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a>
</pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
Openstack-security mailing list<br>
<a href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
<br></blockquote></div>