[ https://issues.apache.org/jira/browse/GEODE-2119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15730051#comment-15730051 ]
Kevin Duling commented on GEODE-2119: ------------------------------------- Also suppressing password within scripts such as {{gfsh run --file=startServer.gfsh}} {code} 1. Executing - start server --name=srv-sec2 --locators=pdx2-office-dhcp9.eng.vmware.com[10334] --user=admin --password=******** --classpath=/Users/kduling/foo ..... Server in /Users/kduling/tmp/srv-sec2 on pdx2-office-dhcp9.eng.vmware.com[40404] as srv-sec2 is currently online. Process ID: 13259 Uptime: 2 seconds GemFire Version: 1.1.0-SNAPSHOT Java Version: 1.8.0_92 Log File: /Users/kduling/tmp/srv-sec2/srv-sec2.log JVM Arguments: -Dgemfire.security-username=admin -Dgemfire.locators=pdx2-office-dhcp9.eng.vmware.com[10334] -Dgemfire.use-cluster-configuration=true -Dgemfire.security-password=******** -Dgemfire.start-dev-rest-api=false -XX:OnOutOfMemoryError=kill -KILL %p -Dgemfire.launcher.registerSignalHandlers=true -Djava.awt.headless=true -Dsun.rmi.dgc.server.gcInterval=9223372036854775806 Class-Path: /Users/kduling/Dev/pivotal/gemfire/open/geode-assembly/build/install/apache-geode/lib/geode-core-1.1.0-SNAPSHOT.jar:/Users/kduling/foo:/Users/kduling/Dev/pivotal/gemfire/open/geode-assembly/build/install/apache-geode/lib/geode-dependencies.jar {code} > gfsh user and password visible in clear text > -------------------------------------------- > > Key: GEODE-2119 > URL: https://issues.apache.org/jira/browse/GEODE-2119 > Project: Geode > Issue Type: Bug > Components: gfsh > Reporter: Karen Smoler Miller > Assignee: Kevin Duling > > Both gfsh connect and gfsh start server allow the specification on the > command line of a user name and a password for use as credentials in > authentication. Clear text versions of the user name and password are then > visible > 1. if the user runs gfsh history > 2. in historyfile, if the user runs gfsh history --file=historyfile > 3. in the output of ps > It would be worth a check to see if clear text versions of the user or > password end up in any locator or server logs. I don't believe it does for > gfsh connect, but it might for the start server case. -- This message was sent by Atlassian JIRA (v6.3.4#6332)