[jira] [Commented] (CLOUDSTACK-505) cloudstack logs the private key in plaintext

[Chip Childers (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13534131#comment-13534131
 ] 

Chip Childers commented on CLOUDSTACK-505:
------------------------------------------

I see that now.  Looks like we need to handle the request logging for addHost, 
as the queryAsyncJobResult responses for addHost, deployVirtualMachine and 
resetPasswordForVirtualMachine.  Ideally, it wouldn't be as course grained as 
dropping the response from logging, but would instead strip the password=X and 
"password":"X" portions of the string.
                
> cloudstack logs the private key in plaintext
> --------------------------------------------
>
>                 Key: CLOUDSTACK-505
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-505
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: API
>    Affects Versions: 4.0.0
>            Reporter: Ahmad Emneina
>            Assignee: Chip Childers
>            Priority: Blocker
>             Fix For: 4.0.1
>
>
> When creating my sshkeypair, theyre logged in the api-server.log.
> 2012-11-16 04:16:44,387 INFO  [cloud.api.ApiServer] (ApiServer-8:null) 
> (userId=1 accountId=1 sessionId=null) /0:0:0:0:0:0:0:1 -- GET 
> /client/api?command=createSSHKeyPair&name=testkeys2&response=json&domainid=1&zone=2&account=admin
>  HTTP/1.0 200 
> {
>     "createsshkeypairresponse": {
>         "keypair": {
>             "name": "testkeys2",
>             "fingerprint": "f2:0c:b1:d9:be:73:4f:a9:0a:c0:c8:59:17:e0:67:07",
>             "privatekey": "-----BEGIN RSA PRIVATE 
> KEY-----\nMIICXgIBAAKBgQDD8CUiTQL26bhcDDW1kg8QqY2Pzm9EkeNwcTtglZEYkfSV7IHI\nDO7kRvB8ca4uKOpQD+jIpz0+leTQAc2JwLPzIFfTpN/mn+vwMwBviTZjYUDePkw+\nuwe97KB4Xg+RM7m0f4sPUHe9IZPshebl8nFhFpp8bL1g/FcDalJs3GhyPwIDAQAB\nAoGBAL0czVp75f6Wul/tUPF8lZnJbF5+KpqODGz8fQjNkwuZ4+3IJcMF6JTfe0FB\nH5Jh3zWDBXSVJeGAHyY8dzsbiRHRoXb4HRXUfSdMVLAlXDmH+REcE/4OY+Sd+GU2\ncrIsq9E3R2Nhr7lujP6BOO4IEzSrKFQ531lLBolCNZ/YpHThAkEA4/N1BeuB7ihI\nlzfdikjEmg3BfDn+s7FlQz42x4iAOBRBcMeO0e7ma+UWD7LUER3tuADAY3D4C/xs\nAluSbEyHdwJBANwMRK4jsmsGFf5GjH/iyVApZx/U71OR8OJx48NSdWmCzEkMdCE+\nH5Lska7j8mfAfqbOYfYqR4gwOXXHGr8XrXkCQAF9GYqMWzDe+npiVwQMLZyD8nuJ\nNWye//ZMdbcf4RZ8q2C9LOWaFc8mk9pOZKwn8eF9v8PmfPg3Ec2CI5apeUkCQQDK\nEj4TyFY07/7MZc7qNcH26j54PduVW+TgngOxv4xw2xtsTZJrYJgwHSzfdRaK7nug\nBNBy9XqA9wAdRz0plL3JAkEAiyCuxFhz6F2NhMxDX9IczJPPiJ+v6qHGwSThiBv0\n9XgwpQqrFmBdqAZ3SDjsgXkG2gAqZRuddbq55ffGSFtkpg==\n-----END
>  RSA PRIVATE KEY-----\n"
>         }
>     }
> }

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira