You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geode.apache.org by Karen Miller <km...@apache.org> on 2016/11/15 19:08:37 UTC

gfsh start server with the --password option

When specifying user name and password to use as authentication credentials
with the gfsh start server command, the password is specified in the clear.
I've added a note in the documentation to point this out, but specifying a
password
in this way leads to further ways the clear text password can be seen.

- gfsh history will repeat back the command with the password shown
- any user on the box can see the clear text password with 'ps'
- (haven't checked if this happens) logs may have the clear text password

Is this an issue?  The history is for a particular user, so not so bad.
Logs can use file system permissions to reduce access.  But anyone with
access to the box can list the processes.

Karen

Re: gfsh start server with the --password option

Posted by Karen Miller <km...@pivotal.io>.

Done.  See https://issues.apache.org/jira/browse/GEODE-2119 for my attempt
at describing
the issue in a JIRA ticket.

On Wed, Nov 16, 2016 at 11:09 AM, Swapnil Bawaskar <sb...@pivotal.io>
wrote:

> Thanks for find these Karen, Can you please file a JIRA for this issue?
>
> On Tue, Nov 15, 2016 at 5:29 PM, Karen Miller <km...@pivotal.io> wrote:
>
> > Also, when doing a gfsh connect (not just start server) that specifies
> user
> > and password
> > on the command line, if a further command of
> >   gfsh history --file=historyfilename
> > is executed, the user and password are written in clear text to the
> history
> > file.
> >
> >
> > On Tue, Nov 15, 2016 at 12:31 PM, Jinmei Liao <ji...@pivotal.io> wrote:
> >
> > > I thought we had code that deals with redacting password in gfsh
> history,
> > > not sure why it's not in effect anymore.
> > >
> > > On Tue, Nov 15, 2016 at 2:27 PM, Swapnil Bawaskar <
> sbawaskar@pivotal.io>
> > > wrote:
> > >
> > > > When you want to connect to a secure system you can choose not to use
> > the
> > > > --password option at which point you will be prompted to enter a
> > > > username/password.
> > > > e.g:
> > > > gfsh>connect --locator=localhost[10334]
> > > > Connecting to Locator at [host=localhost, port=10334] ..
> > > > Connecting to Manager at [host=192.168.1.181, port=1099] ..
> > > > username: super-user
> > > > password: ****
> > > >
> > > >
> > > > On Tue, Nov 15, 2016 at 11:55 AM, Kirk Lund <kl...@apache.org>
> wrote:
> > > >
> > > > > There should be redaction in gfsh history. Maybe repeating the
> > command
> > > > is a
> > > > > case that wasn't fully covered? This is a bug we'll need to file
> and
> > > fix.
> > > > >
> > > > > Clear text in process string is probably not a bug. Users should
> > > > implement
> > > > > a callback to provide the password instead of providing it as a
> > system
> > > > > property unless they're ok with it showing in the process string.
> > This
> > > > may
> > > > > need more documentation?
> > > > >
> > > > > The logs should not contain the clear text password and this would
> > be a
> > > > bug
> > > > > if it does.
> > > > >
> > > > > -Kirk
> > > > >
> > > > >
> > > > > On Tue, Nov 15, 2016 at 11:08 AM, Karen Miller <kmiller@apache.org
> >
> > > > wrote:
> > > > >
> > > > > > When specifying user name and password to use as authentication
> > > > > credentials
> > > > > > with the gfsh start server command, the password is specified in
> > the
> > > > > clear.
> > > > > > I've added a note in the documentation to point this out, but
> > > > specifying
> > > > > a
> > > > > > password
> > > > > > in this way leads to further ways the clear text password can be
> > > seen.
> > > > > >
> > > > > > - gfsh history will repeat back the command with the password
> shown
> > > > > > - any user on the box can see the clear text password with 'ps'
> > > > > > - (haven't checked if this happens) logs may have the clear text
> > > > password
> > > > > >
> > > > > > Is this an issue?  The history is for a particular user, so not
> so
> > > bad.
> > > > > > Logs can use file system permissions to reduce access.  But
> anyone
> > > with
> > > > > > access to the box can list the processes.
> > > > > >
> > > > > > Karen
> > > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Cheers
> > >
> > > Jinmei
> > >
> >
>

Re: gfsh start server with the --password option

Posted by Swapnil Bawaskar <sb...@pivotal.io>.

Thanks for find these Karen, Can you please file a JIRA for this issue?

On Tue, Nov 15, 2016 at 5:29 PM, Karen Miller <km...@pivotal.io> wrote:

> Also, when doing a gfsh connect (not just start server) that specifies user
> and password
> on the command line, if a further command of
>   gfsh history --file=historyfilename
> is executed, the user and password are written in clear text to the history
> file.
>
>
> On Tue, Nov 15, 2016 at 12:31 PM, Jinmei Liao <ji...@pivotal.io> wrote:
>
> > I thought we had code that deals with redacting password in gfsh history,
> > not sure why it's not in effect anymore.
> >
> > On Tue, Nov 15, 2016 at 2:27 PM, Swapnil Bawaskar <sb...@pivotal.io>
> > wrote:
> >
> > > When you want to connect to a secure system you can choose not to use
> the
> > > --password option at which point you will be prompted to enter a
> > > username/password.
> > > e.g:
> > > gfsh>connect --locator=localhost[10334]
> > > Connecting to Locator at [host=localhost, port=10334] ..
> > > Connecting to Manager at [host=192.168.1.181, port=1099] ..
> > > username: super-user
> > > password: ****
> > >
> > >
> > > On Tue, Nov 15, 2016 at 11:55 AM, Kirk Lund <kl...@apache.org> wrote:
> > >
> > > > There should be redaction in gfsh history. Maybe repeating the
> command
> > > is a
> > > > case that wasn't fully covered? This is a bug we'll need to file and
> > fix.
> > > >
> > > > Clear text in process string is probably not a bug. Users should
> > > implement
> > > > a callback to provide the password instead of providing it as a
> system
> > > > property unless they're ok with it showing in the process string.
> This
> > > may
> > > > need more documentation?
> > > >
> > > > The logs should not contain the clear text password and this would
> be a
> > > bug
> > > > if it does.
> > > >
> > > > -Kirk
> > > >
> > > >
> > > > On Tue, Nov 15, 2016 at 11:08 AM, Karen Miller <km...@apache.org>
> > > wrote:
> > > >
> > > > > When specifying user name and password to use as authentication
> > > > credentials
> > > > > with the gfsh start server command, the password is specified in
> the
> > > > clear.
> > > > > I've added a note in the documentation to point this out, but
> > > specifying
> > > > a
> > > > > password
> > > > > in this way leads to further ways the clear text password can be
> > seen.
> > > > >
> > > > > - gfsh history will repeat back the command with the password shown
> > > > > - any user on the box can see the clear text password with 'ps'
> > > > > - (haven't checked if this happens) logs may have the clear text
> > > password
> > > > >
> > > > > Is this an issue?  The history is for a particular user, so not so
> > bad.
> > > > > Logs can use file system permissions to reduce access.  But anyone
> > with
> > > > > access to the box can list the processes.
> > > > >
> > > > > Karen
> > > > >
> > > >
> > >
> >
> >
> >
> > --
> > Cheers
> >
> > Jinmei
> >
>

Re: gfsh start server with the --password option

Posted by Karen Miller <km...@pivotal.io>.

Also, when doing a gfsh connect (not just start server) that specifies user
and password
on the command line, if a further command of
  gfsh history --file=historyfilename
is executed, the user and password are written in clear text to the history
file.


On Tue, Nov 15, 2016 at 12:31 PM, Jinmei Liao <ji...@pivotal.io> wrote:

> I thought we had code that deals with redacting password in gfsh history,
> not sure why it's not in effect anymore.
>
> On Tue, Nov 15, 2016 at 2:27 PM, Swapnil Bawaskar <sb...@pivotal.io>
> wrote:
>
> > When you want to connect to a secure system you can choose not to use the
> > --password option at which point you will be prompted to enter a
> > username/password.
> > e.g:
> > gfsh>connect --locator=localhost[10334]
> > Connecting to Locator at [host=localhost, port=10334] ..
> > Connecting to Manager at [host=192.168.1.181, port=1099] ..
> > username: super-user
> > password: ****
> >
> >
> > On Tue, Nov 15, 2016 at 11:55 AM, Kirk Lund <kl...@apache.org> wrote:
> >
> > > There should be redaction in gfsh history. Maybe repeating the command
> > is a
> > > case that wasn't fully covered? This is a bug we'll need to file and
> fix.
> > >
> > > Clear text in process string is probably not a bug. Users should
> > implement
> > > a callback to provide the password instead of providing it as a system
> > > property unless they're ok with it showing in the process string. This
> > may
> > > need more documentation?
> > >
> > > The logs should not contain the clear text password and this would be a
> > bug
> > > if it does.
> > >
> > > -Kirk
> > >
> > >
> > > On Tue, Nov 15, 2016 at 11:08 AM, Karen Miller <km...@apache.org>
> > wrote:
> > >
> > > > When specifying user name and password to use as authentication
> > > credentials
> > > > with the gfsh start server command, the password is specified in the
> > > clear.
> > > > I've added a note in the documentation to point this out, but
> > specifying
> > > a
> > > > password
> > > > in this way leads to further ways the clear text password can be
> seen.
> > > >
> > > > - gfsh history will repeat back the command with the password shown
> > > > - any user on the box can see the clear text password with 'ps'
> > > > - (haven't checked if this happens) logs may have the clear text
> > password
> > > >
> > > > Is this an issue?  The history is for a particular user, so not so
> bad.
> > > > Logs can use file system permissions to reduce access.  But anyone
> with
> > > > access to the box can list the processes.
> > > >
> > > > Karen
> > > >
> > >
> >
>
>
>
> --
> Cheers
>
> Jinmei
>

Re: gfsh start server with the --password option

Posted by Jinmei Liao <ji...@pivotal.io>.

I thought we had code that deals with redacting password in gfsh history,
not sure why it's not in effect anymore.

On Tue, Nov 15, 2016 at 2:27 PM, Swapnil Bawaskar <sb...@pivotal.io>
wrote:

> When you want to connect to a secure system you can choose not to use the
> --password option at which point you will be prompted to enter a
> username/password.
> e.g:
> gfsh>connect --locator=localhost[10334]
> Connecting to Locator at [host=localhost, port=10334] ..
> Connecting to Manager at [host=192.168.1.181, port=1099] ..
> username: super-user
> password: ****
>
>
> On Tue, Nov 15, 2016 at 11:55 AM, Kirk Lund <kl...@apache.org> wrote:
>
> > There should be redaction in gfsh history. Maybe repeating the command
> is a
> > case that wasn't fully covered? This is a bug we'll need to file and fix.
> >
> > Clear text in process string is probably not a bug. Users should
> implement
> > a callback to provide the password instead of providing it as a system
> > property unless they're ok with it showing in the process string. This
> may
> > need more documentation?
> >
> > The logs should not contain the clear text password and this would be a
> bug
> > if it does.
> >
> > -Kirk
> >
> >
> > On Tue, Nov 15, 2016 at 11:08 AM, Karen Miller <km...@apache.org>
> wrote:
> >
> > > When specifying user name and password to use as authentication
> > credentials
> > > with the gfsh start server command, the password is specified in the
> > clear.
> > > I've added a note in the documentation to point this out, but
> specifying
> > a
> > > password
> > > in this way leads to further ways the clear text password can be seen.
> > >
> > > - gfsh history will repeat back the command with the password shown
> > > - any user on the box can see the clear text password with 'ps'
> > > - (haven't checked if this happens) logs may have the clear text
> password
> > >
> > > Is this an issue?  The history is for a particular user, so not so bad.
> > > Logs can use file system permissions to reduce access.  But anyone with
> > > access to the box can list the processes.
> > >
> > > Karen
> > >
> >
>



-- 
Cheers

Jinmei

Re: gfsh start server with the --password option

Posted by Swapnil Bawaskar <sb...@pivotal.io>.

When you want to connect to a secure system you can choose not to use the
--password option at which point you will be prompted to enter a
username/password.
e.g:
gfsh>connect --locator=localhost[10334]
Connecting to Locator at [host=localhost, port=10334] ..
Connecting to Manager at [host=192.168.1.181, port=1099] ..
username: super-user
password: ****


On Tue, Nov 15, 2016 at 11:55 AM, Kirk Lund <kl...@apache.org> wrote:

> There should be redaction in gfsh history. Maybe repeating the command is a
> case that wasn't fully covered? This is a bug we'll need to file and fix.
>
> Clear text in process string is probably not a bug. Users should implement
> a callback to provide the password instead of providing it as a system
> property unless they're ok with it showing in the process string. This may
> need more documentation?
>
> The logs should not contain the clear text password and this would be a bug
> if it does.
>
> -Kirk
>
>
> On Tue, Nov 15, 2016 at 11:08 AM, Karen Miller <km...@apache.org> wrote:
>
> > When specifying user name and password to use as authentication
> credentials
> > with the gfsh start server command, the password is specified in the
> clear.
> > I've added a note in the documentation to point this out, but specifying
> a
> > password
> > in this way leads to further ways the clear text password can be seen.
> >
> > - gfsh history will repeat back the command with the password shown
> > - any user on the box can see the clear text password with 'ps'
> > - (haven't checked if this happens) logs may have the clear text password
> >
> > Is this an issue?  The history is for a particular user, so not so bad.
> > Logs can use file system permissions to reduce access.  But anyone with
> > access to the box can list the processes.
> >
> > Karen
> >
>

Re: gfsh start server with the --password option

Posted by Kirk Lund <kl...@apache.org>.

There should be redaction in gfsh history. Maybe repeating the command is a
case that wasn't fully covered? This is a bug we'll need to file and fix.

Clear text in process string is probably not a bug. Users should implement
a callback to provide the password instead of providing it as a system
property unless they're ok with it showing in the process string. This may
need more documentation?

The logs should not contain the clear text password and this would be a bug
if it does.

-Kirk

On Tue, Nov 15, 2016 at 11:08 AM, Karen Miller <km...@apache.org> wrote:

> When specifying user name and password to use as authentication credentials
> with the gfsh start server command, the password is specified in the clear.
> I've added a note in the documentation to point this out, but specifying a
> password
> in this way leads to further ways the clear text password can be seen.
>
> - gfsh history will repeat back the command with the password shown
> - any user on the box can see the clear text password with 'ps'
> - (haven't checked if this happens) logs may have the clear text password
>
> Is this an issue?  The history is for a particular user, so not so bad.
> Logs can use file system permissions to reduce access.  But anyone with
> access to the box can list the processes.
>
> Karen
>