[Openstack] Plaintext password in getCredential token

Shohel Ahmed shohel_csdu at yahoo.com
Wed Feb 5 10:50:05 UTC 2014


The current username/password authentication mechanism is not the best security practice. However, assuming there is a point to point secure channel, the risk of password exposure can be contained. In addition to that, one can always choose external authentication plugged with Keystone e.g., your own middleware in the pipeline or Kerberos ( not fully functional yet). Some hints are provided in keystone guideline: 
http://docs.openstack.org/developer/keystone/external-auth.html




On Wednesday, February 5, 2014 12:25 PM, "Clark, Robert Graham" <robert.clark at hp.com> wrote:
 
On Wed Feb  5 08:34:34 2014, Rob Crittenden wrote:
> Emanuel Marzini wrote:
>> Hi,
>> I have a software that uses Openstack. When it do an action for the
>> first time, it need to get a token from Openstack. How it's possible
>> make a POST request like:
>>
>> '{"auth":{"passwordCredentials":{"username": "joeuser", "password":
>> "secrete"}}}' -H "Content-type: application/json"
>> http://localhost:35357/v2.0/tokens
>>
>> without pass the password in plaintext???
>>
>> It's possible use PKI, ssl and so on?
>
> The documentation on this is scant but you can start with something like
> http://docs.openstack.org/developer/keystone/configuration.html
>
> You'll need to create new endpoints for the SSL provider and set
> OS_SERVICE_ENDPOINT to the secure version.
>
> If you want to disable/remove the unsecure ports things get rather
> interesting as you'll need to configure all the other services to use
> this as well. I don't know how well or if that actually works everywhere.
>
> rob
>

You might find some of the guidance from the OpenStack Security Guide 
useful too: 
http://docs.openstack.org/security-guide/content/ch024_authentication.html



_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140205/b5058c47/attachment.html>


More information about the Openstack mailing list