← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1899229] Re: Nova compute log can get the password info from the user_data

 

Also, the duplicate (bug 1899228) is still public anyway.

** Information type changed from Private Security to Public

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1899229

Title:
  Nova compute log can get the password info from the user_data

Status in OpenStack Compute (nova):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Here is the log on /var/log/nova/nova-compute.log, we can see
  user_data='I2Nsb3VkLWNvbmZpZwpjaHBhc3N3ZDoKICBsaXN0OiB8CiAgICByb290OjEyMzQ1Njc4CiAgZXhwaXJlOiBGYWxzZQ==',
  if you use python to do base64 decode, it will translate to '#cloud-
  config\nchpasswd:\n list: |\n root:12345678\n expire: False', we can
  see the root password is 12345678. Here is the method:

  >>>base64.b64decode("I2Nsb3VkLWNvbmZpZwpjaHBhc3N3ZDoKICBsaXN0OiB8CiAgICByb290OjEyMzQ1Njc4CiAgZXhwaXJlOiBGYWxzZQ==")
  b'#cloud-config\nchpasswd:\n  list: |\n    root:12345678\n  expire: False'

  Although the password is been encrypted but it is easy to decrypted.

  So, in order to avoid this, maybe we don't need to display the
  password info?

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1899229/+subscriptions


References