<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/23/2014 08:29 AM, Nathanael
Burton wrote:<br>
</div>
<blockquote
cite="mid:CAM+Mi=vas5XJeoszb=jm90Se6asMmAvEgFTHM2tQg_5+vCk61A@mail.gmail.com"
type="cite">
<p dir="ltr">We do this today with X509 certificates using the
external auth plugin for Keystone. Services and users auth
directly with X509 certificates to get tokens.</p>
</blockquote>
<br>
Have you modified it at all? I have yet to try, but I though with
mod_ssl and external, REMOTE_USER was not set. It was my
understanding that the following vars were set in its place:<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Environment_Variables#X.509_Authentication">http://www.freeipa.org/page/Environment_Variables#X.509_Authentication</a><br>
<br>
<blockquote
cite="mid:CAM+Mi=vas5XJeoszb=jm90Se6asMmAvEgFTHM2tQg_5+vCk61A@mail.gmail.com"
type="cite">
<p dir="ltr">Nate</p>
<div class="gmail_quote">On Apr 23, 2014 12:23 AM, "Adam Young"
<<a moz-do-not-send="true" href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>On 04/22/2014 11:29 AM, Clark, Robert Graham wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">As
Bryan mentioned already, a user with access to
production systems, particularly one with sudo/root
access – is in an incredibly privileged position. On
its own this is an auditing issue but it’s a
recognised one. In most deployments subject to
auditing (i.e. production) it’s likely that
compensating controls such as gated access, user
logging, MAC etc. are all in place to control the
risk.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">It’s
a messy problem to deal with. I’ve seen approaches
where the process and configuration file are both
owned by an elevated user, once the process has
loaded the configuration file it drops privs and can
no longer read the file, this can be useful as a
mechanism for avoiding directory traversal in web
services etc I’m not sure how viable an approach
this would be with something like Swift.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">-Rob</span></p>
</div>
</blockquote>
<br>
I'd like to see a concerted effort to allowing all servcie
to get keystone tokens with either Kerberos (keytabs) or
X509 Client certificates.<br>
<br>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #e1e1e1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US"> Bryan D. Payne [<a
moz-do-not-send="true"
href="mailto:bdpayne@acm.org"
target="_blank">mailto:bdpayne@acm.org</a>]
<br>
<b>Sent:</b> 22 April 2014 01:16<br>
<b>To:</b> Adam Lawson<br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:openstack-security@lists.openstack.org"
target="_blank">openstack-security@lists.openstack.org</a><br>
<b>Subject:</b> Re: [Openstack-security]
Credentials in clear text</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">This is fair. I'm not
personally familiar with Swift, so I will let
others chime in on that.</p>
<div>
<p class="MsoNormal">-bryan</p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> </p>
<div>
<p class="MsoNormal">On Mon, Apr 21, 2014 at 4:47
PM, Adam Lawson <<a moz-do-not-send="true"
href="mailto:alawson@aqorn.com"
target="_blank">alawson@aqorn.com</a>>
wrote:</p>
<blockquote style="border:none;border-left:solid
#cccccc 1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Preventing access to
passwords for the purpose of preventing
unauthorized access to data as another way I
look at it.</p>
</div>
<div>
<div>
<p class="MsoNormal"><br clear="all">
</p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><i><span
style="font-family:"Arial","sans-serif""><br>
Adam Lawson</span></i></b><span
style="font-family:"Arial","sans-serif""></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall Street</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware 19801-2230</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844) 4-AQORN-NOW</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a moz-do-not-send="true"
href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span
style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><span
style="font-family:"Arial","sans-serif";color:#666666"></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif""><img
moz-do-not-send="true"
src="http://www.aqorn.com/images/logo.png"
alt="http://www.aqorn.com/images/logo.png" height="49" border="0"
width="120"></span><span
style="font-family:"Arial","sans-serif""></span></p>
</div>
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"> </p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On Mon, Apr 21,
2014 at 4:46 PM, Adam Lawson <<a
moz-do-not-send="true"
href="mailto:alawson@aqorn.com"
target="_blank">alawson@aqorn.com</a>>
wrote:</p>
<blockquote
style="border:none;border-left:solid
#cccccc 1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">My initial
concern is specific to Swift and
gaining global access to all data
by virtue of having access to a
single proxy node. It seems more
than access to system resources
but a flaw in how data is
controlled (and passwords are
controlled).</p>
</div>
<div>
<div>
<p class="MsoNormal"><br
clear="all">
</p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><i><span
style="font-family:"Arial","sans-serif""><br>
Adam Lawson</span></i></b><span
style="font-family:"Arial","sans-serif""></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall Street</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware 19801-2230</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844) 4-AQORN-NOW</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a
moz-do-not-send="true"
href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span
style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><span
style="font-family:"Arial","sans-serif";color:#666666"></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial","sans-serif""><img
moz-do-not-send="true"
src="http://www.aqorn.com/images/logo.png"
alt="http://www.aqorn.com/images/logo.png"
height="49" border="0"
width="120"></span><span
style="font-family:"Arial","sans-serif""></span></p>
</div>
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"> </p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On Mon,
Apr 21, 2014 at 4:41 PM,
Bryan D. Payne <<a
moz-do-not-send="true"
href="mailto:bdpayne@acm.org"
target="_blank">bdpayne@acm.org</a>>
wrote:</p>
<blockquote
style="border:none;border-left:solid
#cccccc 1.0pt;padding:0cm
0cm 0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">This
would be a nice
hardening step, but if
you have sudo on the box
there's a lot of things
you can do see. This is
just the tip of the
iceberg. For example,
access to the backend
db? Access to traffic
on the network / unix
sockets / etc? Access
to logs.</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I
am not aware of any
current efforts to
mask this information
from the config files.
But that doesn't mean
it's not happening.
If someone is aware
of such an effort, I'd
certainly be
interested in learning
more about it.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Cheers,</p>
</div>
<div>
<p class="MsoNormal">-bryan</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"> </p>
<div>
<div>
<div>
<p class="MsoNormal">On
Mon, Apr 21, 2014
at 4:26 PM, Adam
Lawson <<a
moz-do-not-send="true"
href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>>
wrote:</p>
</div>
</div>
<blockquote
style="border:none;border-left:solid
#cccccc
1.0pt;padding:0cm 0cm
0cm
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<div>
<div>
<p
class="MsoNormal">Have
.conf files
containing
credentials
and tokens
been addressed
or being
addressed?
Seems there
are a lot of
keys to the
kingdom
clearly
visible to
staff who have
access to
systems for
day-to-day
admin work but
don't/shouldn't
be able to
view them. If
they have sudo
access, they
have
everything
they need to
get where they
don't belong.
Really strikes
me as an
obvious audit
issue...<span
style="color:#888888"></span></p>
<div>
<div>
<p
class="MsoNormal"><span
style="color:#888888"><br clear="all">
</span></p>
<div>
<div>
<div>
<div>
<p
class="MsoNormal"><b><i><span
style="font-family:"Arial","sans-serif";color:#888888"><br>
Adam Lawson</span></i></b><span
style="font-family:"Arial","sans-serif";color:#888888"></span></p>
</div>
<div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">AQORN,
Inc.</span></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">427
North Tatnall
Street</span></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Ste.
58461</span></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Wilmington,
Delaware
19801-2230</span></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Toll-free:
(844)
4-AQORN-NOW</span></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#666666">Direct:
</span><a
moz-do-not-send="true"
href="tel:%2B1%20%28302%29%20268-6914" target="_blank"><span
style="font-family:"Arial","sans-serif"">+1
(302) 268-6914</span></a><span
style="font-family:"Arial","sans-serif";color:#666666"></span></p>
</div>
</div>
</div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial","sans-serif";color:#888888"><img
moz-do-not-send="true" src="http://www.aqorn.com/images/logo.png"
alt="http://www.aqorn.com/images/logo.png"
height="49"
border="0"
width="120"></span><span
style="font-family:"Arial","sans-serif";color:#888888"></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p
class="MsoNormal"> </p>
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt">_______________________________________________<br>
Openstack-security
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a><br>
<a
moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a></p>
</blockquote>
</div>
<p class="MsoNormal"> </p>
</div>
</blockquote>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Openstack-security mailing list
<a moz-do-not-send="true" href="mailto:Openstack-security@lists.openstack.org" target="_blank">Openstack-security@lists.openstack.org</a>
<a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a>
</pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
Openstack-security mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a><br>
<br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>