[jira] [Commented] (GEODE-2119) gfsh user and password visible in clear text

Wed, 07 Dec 2016 14:00:07 -0800 

    [ 
https://issues.apache.org/jira/browse/GEODE-2119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15730051#comment-15730051
 ] 

Kevin Duling commented on GEODE-2119:
-------------------------------------

Also suppressing password within scripts such as {{gfsh run 
--file=startServer.gfsh}}

{code}
1. Executing - start server --name=srv-sec2 
--locators=pdx2-office-dhcp9.eng.vmware.com[10334] --user=admin 
--password=******** --classpath=/Users/kduling/foo 

.....
Server in /Users/kduling/tmp/srv-sec2 on 
pdx2-office-dhcp9.eng.vmware.com[40404] as srv-sec2 is currently online.
Process ID: 13259
Uptime: 2 seconds
GemFire Version: 1.1.0-SNAPSHOT
Java Version: 1.8.0_92
Log File: /Users/kduling/tmp/srv-sec2/srv-sec2.log
JVM Arguments: -Dgemfire.security-username=admin 
-Dgemfire.locators=pdx2-office-dhcp9.eng.vmware.com[10334] 
-Dgemfire.use-cluster-configuration=true -Dgemfire.security-password=******** 
-Dgemfire.start-dev-rest-api=false -XX:OnOutOfMemoryError=kill -KILL %p 
-Dgemfire.launcher.registerSignalHandlers=true -Djava.awt.headless=true 
-Dsun.rmi.dgc.server.gcInterval=9223372036854775806
Class-Path: 
/Users/kduling/Dev/pivotal/gemfire/open/geode-assembly/build/install/apache-geode/lib/geode-core-1.1.0-SNAPSHOT.jar:/Users/kduling/foo:/Users/kduling/Dev/pivotal/gemfire/open/geode-assembly/build/install/apache-geode/lib/geode-dependencies.jar
{code}

> gfsh user and password visible in clear text
> --------------------------------------------
>
>                 Key: GEODE-2119
>                 URL: https://issues.apache.org/jira/browse/GEODE-2119
>             Project: Geode
>          Issue Type: Bug
>          Components: gfsh
>            Reporter: Karen Smoler Miller
>            Assignee: Kevin Duling
>
> Both gfsh connect and gfsh start server allow the specification on the 
> command line of a user name and a password for use as credentials in 
> authentication.  Clear text versions of the user name and password are then 
> visible
> 1. if the user runs gfsh history
> 2. in historyfile, if the user runs gfsh history --file=historyfile
> 3. in the output of ps
> It would be worth a check to see if clear text versions of the user or 
> password end up in any locator or server logs.  I don't believe it does for 
> gfsh connect, but it might for the start server case.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to