cloudstack
cloudstack copied to clipboard
apache
Password for IPMI user showing up in plain text in the log files
ISSUE TYPE
- Bug Report
COMPONENT NAME
Log Files
CLOUDSTACK VERSION
4.18.1
CONFIGURATION
OS / ENVIRONMENT
OS= Ubuntu 22.04, KVM, OOBM HPE ILO for HA enabled hosts
SUMMARY
We setuo HA for our host and the OOBM IPMI users password is displayed in plain text when you tail or open the /var/log/cloudstack/management/ management-server.log
STEPS TO REPRODUCE
we change the IP address and password for security purposes.
EXPECTED RESULTS
for the password to be encrypted in the log files
also, the IPMI user needs to be a full admin with privilege to change users accounts. is that expected?
ACTUAL RESULTS
The password is visible in plain text
@Tbaugus44 , can you add an example log? that will make it easier for anybody picking this up to find the source of the issue. thanks.
Good Day this log: access.log:ip - - [25/Dec/2023:04:34:18 +0000] "GET /client/api/?username=Admin&password=password&address=ip_ipmi&port=623&driver=ipmitool&hostid=831942b3-21ce-4c37-8dd3-e143307e3550&command=configureOutOfBandManagement&response=json HTTP/1.0" 200 298 "https://cloud/client/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" 61
also in management.log 2023-12-25 10:34:53,061 DEBUG [o.a.c.u.p.ProcessRunner] (pool-1-thread-1:null) (logid:c0e97e5e) Preparing command [/usr/bin/ipmitool -I lanplus -R 1 -v -H ip_ipmi -p 623 -U Admin -P password chassis power status] to execute.
@DaanHoogland is there any update to this bug?
no, nothing happened :|
@DaanHoogland so does this mean we have to wait for a 4.19.1 release for this issue to be fixed? or what are some next steps? I know we could encrypt the logs and have other third-party software do that for us. is that the best solution for the time begin?
@Tbaugus44 we have to first have a PR to be able to say it will be fixed in a version. for now the operator has to take care of things and yes, your solution seems feasible for now.