[
https://issues.apache.org/jira/browse/CLOUDSTACK-505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13534338#comment-13534338
]
Nitin Mehta commented on CLOUDSTACK-505:
----------------------------------------
Chip - Thanks for the corrective action. But isn't string search an expensive
operation and that too we are doing it for every async job which gets called
very often
(for every async call to figure out the status of the async job). This would
hurt the performance. If at all, we go down this path we should have pre
compiled the regex for password as well which is more optimal. Can you please
do that ?
Another way is to log the api server logs in debug and ship the product with
log4j configuration for this logger set to info. We leave the onus to admin to
turn the log4j config to debug to start seeing the logs and understand the
security impediments.
> cloudstack logs the private key in plaintext
> --------------------------------------------
>
> Key: CLOUDSTACK-505
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-505
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
> Affects Versions: 4.0.0
> Reporter: Ahmad Emneina
> Assignee: Joe Brockmeier
> Priority: Blocker
> Fix For: 4.0.1
>
>
> When creating my sshkeypair, theyre logged in the api-server.log.
> 2012-11-16 04:16:44,387 INFO [cloud.api.ApiServer] (ApiServer-8:null)
> (userId=1 accountId=1 sessionId=null) /0:0:0:0:0:0:0:1 -- GET
> /client/api?command=createSSHKeyPair&name=testkeys2&response=json&domainid=1&zone=2&account=admin
> HTTP/1.0 200
> {
> "createsshkeypairresponse": {
> "keypair": {
> "name": "testkeys2",
> "fingerprint": "f2:0c:b1:d9:be:73:4f:a9:0a:c0:c8:59:17:e0:67:07",
> "privatekey": "-----BEGIN RSA PRIVATE
> KEY-----\nMIICXgIBAAKBgQDD8CUiTQL26bhcDDW1kg8QqY2Pzm9EkeNwcTtglZEYkfSV7IHI\nDO7kRvB8ca4uKOpQD+jIpz0+leTQAc2JwLPzIFfTpN/mn+vwMwBviTZjYUDePkw+\nuwe97KB4Xg+RM7m0f4sPUHe9IZPshebl8nFhFpp8bL1g/FcDalJs3GhyPwIDAQAB\nAoGBAL0czVp75f6Wul/tUPF8lZnJbF5+KpqODGz8fQjNkwuZ4+3IJcMF6JTfe0FB\nH5Jh3zWDBXSVJeGAHyY8dzsbiRHRoXb4HRXUfSdMVLAlXDmH+REcE/4OY+Sd+GU2\ncrIsq9E3R2Nhr7lujP6BOO4IEzSrKFQ531lLBolCNZ/YpHThAkEA4/N1BeuB7ihI\nlzfdikjEmg3BfDn+s7FlQz42x4iAOBRBcMeO0e7ma+UWD7LUER3tuADAY3D4C/xs\nAluSbEyHdwJBANwMRK4jsmsGFf5GjH/iyVApZx/U71OR8OJx48NSdWmCzEkMdCE+\nH5Lska7j8mfAfqbOYfYqR4gwOXXHGr8XrXkCQAF9GYqMWzDe+npiVwQMLZyD8nuJ\nNWye//ZMdbcf4RZ8q2C9LOWaFc8mk9pOZKwn8eF9v8PmfPg3Ec2CI5apeUkCQQDK\nEj4TyFY07/7MZc7qNcH26j54PduVW+TgngOxv4xw2xtsTZJrYJgwHSzfdRaK7nug\nBNBy9XqA9wAdRz0plL3JAkEAiyCuxFhz6F2NhMxDX9IczJPPiJ+v6qHGwSThiBv0\n9XgwpQqrFmBdqAZ3SDjsgXkG2gAqZRuddbq55ffGSFtkpg==\n-----END
> RSA PRIVATE KEY-----\n"
> }
> }
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
