#1759 OA_SOAP and ilo2_ribcl plugins require plain text passwords

3.4.0
closed-fixed
dr_mohan
5
2013-10-21
2012-09-04
Rick Lane
No

Both the OA_SOAP and ilo2_ribcl /etc/openhpi/openhpi.conf handlers require the customer to enter plain text passwords to allow these plugins to authenticate with the OA and iLO2 components, respectively. Telno customers (e.g., AT&T, Verizon) run security scans on the system that expose this and this becomes a major security violation.

Need a way to provide even simple encrypted passwords in the openhpi.conf handler section for these two plugins that can even use a hard-coded key.

1 Attachments

Discussion

  • Tim Crawford - Oracle

    Not that this addresses the issue, but have you considered setting the permissions on the files to be 400 with the owner being the user that runs openhpi? And this user could in turn be a nologin user.

    Sorry, as I said, does not address the issue at hand, but perhaps it would solve the security scan issue.

     
  • Rick Lane

    Rick Lane - 2012-09-04

    Yes, we have already set the permissions to 0400 (root read-only) hoping that that would have relieved the issue, but that does not satisfy the security issue. Multiple Telco customers still insist that there are no clear text passwords in any files, even ones owned exclusively by root.

     
  • dr_mohan

    dr_mohan - 2012-09-05
    • labels: 576602 --> 1085740
     
  • dr_mohan

    dr_mohan - 2012-09-05
    • labels: 1085740 --> OpenHPI Daemon
     
  • dr_mohan

    dr_mohan - 2012-09-25
    • assigned_to: nobody --> dr_mohan
     
  • dr_mohan

    dr_mohan - 2013-02-28

    The first version of solution that was sent to the devel-list is attached. This will undergo changes to accomodate the feedback from others.

     
  • Tariq Shureih

    Tariq Shureih - 2013-08-29

    *ATTENTION**
    This account is disabled and is no longer accessed by the recipient.
    Please remove it from your address book.

    Thanks

     
  • dr_mohan

    dr_mohan - 2013-08-29
    • Group: --> 2.13.3
     
  • dr_mohan

    dr_mohan - 2013-09-06
    • status: open --> closed-fixed
    • Group: 2.13.3 --> 3.3.x
     
  • dr_mohan

    dr_mohan - 2013-09-06

    Fixed with checkin #7556

     
  • dr_mohan

    dr_mohan - 2013-09-06

    Old bug ID for this bug is 3564813

     
  • dr_mohan

    dr_mohan - 2013-09-06

    Old bug ID for this bug(1759) is 3564813

     
  • dr_mohan

    dr_mohan - 2013-09-06

    Old bug ID for this bug is 3564813

     
  • dr_mohan

    dr_mohan - 2013-10-21
    • 3.4.0: 3.3.x --> 3.4.0
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks