Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#1759 OA_SOAP and ilo2_ribcl plugins require plain text passwords

3.4.0
closed-fixed
dr_mohan
5
2013-10-21
2012-09-04
Rick Lane
No

Both the OA_SOAP and ilo2_ribcl /etc/openhpi/openhpi.conf handlers require the customer to enter plain text passwords to allow these plugins to authenticate with the OA and iLO2 components, respectively. Telno customers (e.g., AT&T, Verizon) run security scans on the system that expose this and this becomes a major security violation.

Need a way to provide even simple encrypted passwords in the openhpi.conf handler section for these two plugins that can even use a hard-coded key.

1 Attachments

Discussion

1 2 > >> (Page 1 of 2)
  • Not that this addresses the issue, but have you considered setting the permissions on the files to be 400 with the owner being the user that runs openhpi? And this user could in turn be a nologin user.

    Sorry, as I said, does not address the issue at hand, but perhaps it would solve the security scan issue.

     
  • Rick Lane
    Rick Lane
    2012-09-04

    Yes, we have already set the permissions to 0400 (root read-only) hoping that that would have relieved the issue, but that does not satisfy the security issue. Multiple Telco customers still insist that there are no clear text passwords in any files, even ones owned exclusively by root.

     
  • dr_mohan
    dr_mohan
    2012-09-05

    • labels: 576602 --> 1085740
     
  • dr_mohan
    dr_mohan
    2012-09-05

    • labels: 1085740 --> OpenHPI Daemon
     
  • dr_mohan
    dr_mohan
    2012-09-25

    • assigned_to: nobody --> dr_mohan
     
  • dr_mohan
    dr_mohan
    2013-02-28

    The first version of solution that was sent to the devel-list is attached. This will undergo changes to accomodate the feedback from others.

     
  • dr_mohan
    dr_mohan
    2013-04-03

    Enable encryption is optional

     
1 2 > >> (Page 1 of 2)