[openstack-dev] masking X-Auth-Token in debug output - proposed consistency

Robert Collins robertc at robertcollins.net
Fri Jun 13 07:52:40 UTC 2014


On 12 June 2014 23:59, Sean Dague <sean at dague.net> wrote:

> The only thing it makes harder is you have to generate your own token to
> run the curl command. The rest is there. Because everyone is running our
> servers at debug levels, it means the clients are going to be running
> debug level as well (yay python logging!), so this is something I don't
> think people realized was a huge issue.
>
>> Anyway I have sent a patch for swiftclient for this in :
>>
>> https://review.openstack.org/#/c/99632/1
>>
>> Personally I don't think I like much that SHA1 and i'd rather use the
>> first 16 bytes of the token (like we did in swift server)
>
> Using a well known hash means you can verify it was the right thing if
> you have access to the original data. Just taking the first 16 bytes
> doesn't give you that, so I think the hash provides slightly more
> debugability.

Would it be possible to salt it? e.g. make a 128bit salt and use that.
The same token used twice will log with the same salt, but you won't
have the rainbow table weakness.

The length of tokens isn't a particularly strong defense against
rainbow tables AIUI: if folk realise we have tokens exposed, they will
just use a botnet to build a table specifically targetting us.

-Rob

-- 
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud



More information about the OpenStack-dev mailing list