<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas","serif";
mso-fareast-language:EN-GB;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>So in this example you’d require manual intervention to provide the encryption key. (I believe ‘read’ takes data from the CLI).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>That’s not going to work for anyone running OpenStack at any sort of scale. Of course if systems had valid ways to authenticate with Keystone they could query Barbican for key material, once Barbican is a little more mature. Then maybe you could look at encrypted configuration files a little more realistically.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'>-Rob<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> Adam Lawson [mailto:alawson@aqorn.com] <br><b>Sent:</b> 23 April 2014 17:49<br><b>To:</b> Tim Bell<br><b>Cc:</b> openstack-security@lists.openstack.org<br><b>Subject:</b> Re: [Openstack-security] Credentials in clear text<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>How feasible (or unfeasible) would it be for each service to look for an encrypted conf file and use the clear text version if the encrypted file doesn't exist? The file could be all settings but technically only credentials and tokens would need this level of protection in my estimation.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I could envision doing this, for example, with OpenSSL as follows (bash for example):<o:p></o:p></p></div><div><div><p class=MsoNormal> #!/bin/bash<o:p></o:p></p></div><div><p class=MsoNormal> #OpenSSL file encryption<o:p></o:p></p></div><div><p class=MsoNormal>decrypt=credentials.txt<o:p></o:p></p></div><div><p class=MsoNormal>encrypt=${decrypt}.encrypted<o:p></o:p></p></div><div><p class=MsoNormal>if [[ $# -eq 0 ]] ; then #encrypt creds in file<o:p></o:p></p></div><div><p class=MsoNormal> read username<o:p></o:p></p></div><div><p class=MsoNormal> read -s password<o:p></o:p></p></div><div><p class=MsoNormal> #write creds to the file<o:p></o:p></p></div><div><p class=MsoNormal> echo ${username}:${password} | openssl des3 -salt -out $encrypt<o:p></o:p></p></div><div><p class=MsoNormal>elif [[ $1 = '-d' ]] ; then #decrypt creds from file<o:p></o:p></p></div><div><p class=MsoNormal> openssl des3 -d -salt -in $encrypt -out $decrypt<o:p></o:p></p></div><div><p class=MsoNormal>else<o:p></o:p></p></div><div><p class=MsoNormal> echo "Error: $1 invalid. Decrypt='-d', Encrypt=no-args" >&2<o:p></o:p></p></div><div><p class=MsoNormal> exit 1<o:p></o:p></p></div><div><p class=MsoNormal>fi<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thoughts? It just seems (to me of course) like a meaningful design option for companies who cannot afford to give credentials to all sysadmins with sudo access to *any* of the nodes for a given solution.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><div><p class=MsoNormal><br clear=all><o:p></o:p></p><div><div><div><div><p class=MsoNormal><b><i><span style='font-family:"Arial","sans-serif"'><br>Adam Lawson</span></i></b><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p></div><div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>AQORN, Inc.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>427 North Tatnall Street<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Ste. 58461<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Wilmington, Delaware 19801-2230<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Toll-free: (844) 4-AQORN-NOW<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:#666666'>Direct: +1 (302) 268-6914<o:p></o:p></span></p></div></div></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><img width=96 height=39 id="_x0000_i1025" src="http://www.aqorn.com/images/logo.png"><o:p></o:p></span></p></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Wed, Apr 23, 2014 at 7:24 AM, Tim Bell <<a href="mailto:Tim.Bell@cern.ch" target="_blank">Tim.Bell@cern.ch</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I think Jose from CERN has been putting in some work on the clients and the server for Kerberos in this area. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>There were some problems with the Kerberos packaging and pre-reqs along with how to fake a Kerberos server in the test suite but he was making progress.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Is this on the summit agenda ? It would be good to get it working since I think it was on my summit talk in Boston.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Tim</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:18.0pt;font-family:"Arial","sans-serif";color:#41454D'>Activity Log</span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'><img border=0 width=80 height=80 id="_x0000_i1026" src="cid:image001.png@01CF5F1E.CF2E9D70" alt="http://www.gravatar.com/avatar/a1040384?s=64&d=identicon"></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'><a href="http://stackalytics.com/?user_id=jose-castro-leon&project_type=all&release=all&metric=all&company=" target="_blank"><span style='color:#D32F1A;text-decoration:none'>Jose Castro Leon</span></a> (<a href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=CERN" target="_blank"><span style='color:#D32F1A;text-decoration:none'>CERN</span></a>)</span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>08 Apr 2014 07:14:32 in <a href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=&module=python-keystoneclient" target="_blank"><span style='color:#D32F1A;text-decoration:none'>python-keystoneclient</span></a></span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>Review “Initial kerberos plugin implementation.”</span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>Submitted by: <a href="http://stackalytics.com/?user_id=jose-castro-leon&project_type=all&release=all&metric=all&company=" target="_blank"><span style='color:#D32F1A;text-decoration:none'>Jose Castro Leon</span></a> (<a href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=CERN" target="_blank"><span style='color:#D32F1A;text-decoration:none'>CERN</span></a>) (#35)</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>Change Id: <a href="https://review.openstack.org/74974" target="_blank"><span style='color:#D32F1A;text-decoration:none'>Idf02bf27b5933c00827dd08d11ac131896184ad8</span></a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:green'>Code Review: <b>1</b></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'><img border=0 width=80 height=80 id="_x0000_i1027" src="cid:image001.png@01CF5F1E.CF2E9D70" alt="http://www.gravatar.com/avatar/a1040384?s=64&d=identicon"></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'><a href="http://stackalytics.com/?user_id=jose-castro-leon&project_type=all&release=all&metric=all&company=" target="_blank"><span style='color:#D32F1A;text-decoration:none'>Jose Castro Leon</span></a> (<a href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=CERN" target="_blank"><span style='color:#D32F1A;text-decoration:none'>CERN</span></a>)</span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>02 Apr 2014 14:59:32 in <a href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=&module=requirements" target="_blank"><span style='color:#D32F1A;text-decoration:none'>requirements</span></a></span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>Review “kerberos requires an additional requests library. Older versions break in py33”</span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>Submitted by: <a href="http://stackalytics.com/?user_id=ayoung&project_type=all&release=all&metric=all&company=" target="_blank"><span style='color:#D32F1A;text-decoration:none'>Adam Young</span></a> (<a href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=Red+Hat" target="_blank"><span style='color:#D32F1A;text-decoration:none'>Red Hat</span></a>) (#200)</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>Change Id: <a href="https://review.openstack.org/84740" target="_blank"><span style='color:#D32F1A;text-decoration:none'>I2100915f123c0fea41d5b17d01947901aa0119c5</span></a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:green'>Code Review: <b>1</b></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'><img border=0 width=80 height=80 id="_x0000_i1028" src="cid:image002.png@01CF5F1E.CF2E9D70" alt="http://www.gravatar.com/avatar/a1657571576?s=64&d=identicon"></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'><a href="http://stackalytics.com/?user_id=jose-castro-leon&project_type=all&release=all&metric=all&company=" target="_blank"><span style='color:#D32F1A;text-decoration:none'>Jose Castro Leon</span></a> (<a href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=CERN" target="_blank"><span style='color:#D32F1A;text-decoration:none'>CERN</span></a>)</span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>20 Feb 2014 09:21:31 in <a href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=&module=python-keystoneclient" target="_blank"><span style='color:#D32F1A;text-decoration:none'>python-keystoneclient</span></a></span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>Patch “Initial kerberos plugin implementation.”</span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>Current Status: ABANDONED</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>Change Id: <a href="https://review.openstack.org/74974" target="_blank"><span style='color:#D32F1A;text-decoration:none'>Idf02bf27b5933c00827dd08d11ac131896184ad8</span></a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'><img border=0 width=80 height=80 id="_x0000_i1029" src="cid:image002.png@01CF5F1E.CF2E9D70" alt="http://www.gravatar.com/avatar/a1657571576?s=64&d=identicon"></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'><a href="http://stackalytics.com/?user_id=jose-castro-leon&project_type=all&release=all&metric=all&company=" target="_blank"><span style='color:#D32F1A;text-decoration:none'>Jose Castro Leon</span></a> (<a href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=CERN" target="_blank"><span style='color:#D32F1A;text-decoration:none'>CERN</span></a>)</span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>18 Feb 2014 10:19:23 in <a href="http://stackalytics.com/?user_id=&project_type=all&release=all&metric=all&company=&module=keystone" target="_blank"><span style='color:#D32F1A;text-decoration:none'>keystone</span></a></span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>Patch “Initial kerberos plugin implementation.”</span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>Current Status: ABANDONED</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Arial","sans-serif";color:#41454D'>Change Id: <a href="https://review.openstack.org/74317" target="_blank"><span style='color:#D32F1A;text-decoration:none'>I2fad67c3613c273187f6ca32985d360352c81bf8</span></a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> Nathanael Burton [mailto:<a href="mailto:nathanael.i.burton.work@gmail.com" target="_blank">nathanael.i.burton.work@gmail.com</a>] <br><b>Sent:</b> 23 April 2014 14:42<br><b>To:</b> Adam Young</span><o:p></o:p></p><div><div><p class=MsoNormal><br><b>Cc:</b> <a href="mailto:openstack-security@lists.openstack.org" target="_blank">openstack-security@lists.openstack.org</a><br><b>Subject:</b> Re: [Openstack-security] Credentials in clear text<o:p></o:p></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p>We have to configure the Apache layer to set the component we want as the REMOTE_USER, but other than that I believe that's pretty much all it takes on the Keystone side. Changes were necessary to some of the Python clients and service code, mainly to get them to pass certificates along. Not all these changes have been proposed upstream yet, although we plan to.<o:p></o:p></p><p>Thanks,<o:p></o:p></p><p>Nate<o:p></o:p></p></div></div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Apr 23, 2014 8:33 AM, "Adam Young" <<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>> wrote:<o:p></o:p></p></div></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On 04/23/2014 08:29 AM, Nathanael Burton wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p>We do this today with X509 certificates using the external auth plugin for Keystone. Services and users auth directly with X509 certificates to get tokens.<o:p></o:p></p></blockquote><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>Have you modified it at all? I have yet to try, but I though with mod_ssl and external, REMOTE_USER was not set. It was my understanding that the following vars were set in its place:<br><br><a href="http://www.freeipa.org/page/Environment_Variables#X.509_Authentication" target="_blank">http://www.freeipa.org/page/Environment_Variables#X.509_Authentication</a><br><br><o:p></o:p></p></div></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p>Nate<o:p></o:p></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Apr 23, 2014 12:23 AM, "Adam Young" <<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>> wrote:<o:p></o:p></p></div></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On 04/22/2014 11:29 AM, Clark, Robert Graham wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>As Bryan mentioned already, a user with access to production systems, particularly one with sudo/root access – is in an incredibly privileged position. On its own this is an auditing issue but it’s a recognised one. In most deployments subject to auditing (i.e. production) it’s likely that compensating controls such as gated access, user logging, MAC etc. are all in place to control the risk.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It’s a messy problem to deal with. I’ve seen approaches where the process and configuration file are both owned by an elevated user, once the process has loaded the configuration file it drops privs and can no longer read the file, this can be useful as a mechanism for avoiding directory traversal in web services etc I’m not sure how viable an approach this would be with something like Swift.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rob</span><o:p></o:p></p></div></blockquote><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>I'd like to see a concerted effort to allowing all servcie to get keystone tokens with either Kerberos (keytabs) or X509 Client certificates.<br><br><o:p></o:p></p></div></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> Bryan D. Payne [<a href="mailto:bdpayne@acm.org" target="_blank">mailto:bdpayne@acm.org</a>] <br><b>Sent:</b> 22 April 2014 01:16<br><b>To:</b> Adam Lawson<br><b>Cc:</b> <a href="mailto:openstack-security@lists.openstack.org" target="_blank">openstack-security@lists.openstack.org</a><br><b>Subject:</b> Re: [Openstack-security] Credentials in clear text</span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>This is fair. I'm not personally familiar with Swift, so I will let others chime in on that.<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-bryan<o:p></o:p></p></div></div></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Mon, Apr 21, 2014 at 4:47 PM, Adam Lawson <<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>> wrote:<o:p></o:p></p></div></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Preventing access to passwords for the purpose of preventing unauthorized access to data as another way I look at it.<o:p></o:p></p></div></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br clear=all><o:p></o:p></p><div><div><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><i><span style='font-family:"Arial","sans-serif"'><br>Adam Lawson</span></i></b><o:p></o:p></p></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>AQORN, Inc.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>427 North Tatnall Street</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>Ste. 58461</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>Wilmington, Delaware 19801-2230</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>Toll-free: (844) 4-AQORN-NOW</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>Direct: </span><a href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span style='font-family:"Arial","sans-serif"'>+1 (302) 268-6914</span></a><o:p></o:p></p></div></div></div></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";border:solid windowtext 1.0pt;padding:0cm'><img border=0 width=120 height=49 id="_x0000_i1030" src="cid:image003.jpg@01CF5F1E.CF2E9D70" alt="Image removed by sender. http://www.aqorn.com/images/logo.png"></span><o:p></o:p></p></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p></div><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Mon, Apr 21, 2014 at 4:46 PM, Adam Lawson <<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>My initial concern is specific to Swift and gaining global access to all data by virtue of having access to a single proxy node. It seems more than access to system resources but a flaw in how data is controlled (and passwords are controlled).<o:p></o:p></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br clear=all><o:p></o:p></p><div><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><i><span style='font-family:"Arial","sans-serif"'><br>Adam Lawson</span></i></b><o:p></o:p></p></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>AQORN, Inc.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>427 North Tatnall Street</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>Ste. 58461</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>Wilmington, Delaware 19801-2230</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>Toll-free: (844) 4-AQORN-NOW</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>Direct: </span><a href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span style='font-family:"Arial","sans-serif"'>+1 (302) 268-6914</span></a><o:p></o:p></p></div></div></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";border:solid windowtext 1.0pt;padding:0cm'><img border=0 width=120 height=49 id="_x0000_i1031" src="cid:image003.jpg@01CF5F1E.CF2E9D70" alt="Image removed by sender. http://www.aqorn.com/images/logo.png"></span><o:p></o:p></p></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p></div><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Mon, Apr 21, 2014 at 4:41 PM, Bryan D. Payne <<a href="mailto:bdpayne@acm.org" target="_blank">bdpayne@acm.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>This would be a nice hardening step, but if you have sudo on the box there's a lot of things you can do see. This is just the tip of the iceberg. For example, access to the backend db? Access to traffic on the network / unix sockets / etc? Access to logs.<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I am not aware of any current efforts to mask this information from the config files. But that doesn't mean it's not happening. If someone is aware of such an effort, I'd certainly be interested in learning more about it.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Cheers,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-bryan<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Mon, Apr 21, 2014 at 4:26 PM, Adam Lawson <<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>> wrote:<o:p></o:p></p></div></div></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Have .conf files containing credentials and tokens been addressed or being addressed? Seems there are a lot of keys to the kingdom clearly visible to staff who have access to systems for day-to-day admin work but don't/shouldn't be able to view them. If they have sudo access, they have everything they need to get where they don't belong. Really strikes me as an obvious audit issue...<o:p></o:p></p></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#888888'><br clear=all></span><o:p></o:p></p><div><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><i><span style='font-family:"Arial","sans-serif";color:#888888'><br>Adam Lawson</span></i></b><o:p></o:p></p></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>AQORN, Inc.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>427 North Tatnall Street</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>Ste. 58461</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>Wilmington, Delaware 19801-2230</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>Toll-free: (844) 4-AQORN-NOW</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#666666'>Direct: </span><a href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span style='font-family:"Arial","sans-serif"'>+1 (302) 268-6914</span></a><o:p></o:p></p></div></div></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial","sans-serif";color:#888888;border:solid windowtext 1.0pt;padding:0cm'><img border=0 width=120 height=49 id="_x0000_i1032" src="cid:image003.jpg@01CF5F1E.CF2E9D70" alt="Image removed by sender. http://www.aqorn.com/images/logo.png"></span><o:p></o:p></p></div></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>_______________________________________________<br>Openstack-security mailing list<br><a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><o:p></o:p></p></div></blockquote></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></blockquote></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></blockquote></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></blockquote></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Openstack-security mailing list<o:p></o:p></pre><pre><a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><o:p></o:p></pre><pre><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><o:p></o:p></pre></div></blockquote><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>_______________________________________________<br>Openstack-security mailing list<br><a href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><o:p></o:p></p></div></blockquote></div></blockquote><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></blockquote></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Openstack-security mailing list<br><a href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></body></html>