Comments (6)
@sean-horn thanks for the report. The /authenticate_user
endpoint in Chef 11 (from the opscode-account
service) had 2 levels of password log filtering:
- Filtered from the general merb request logging
- Explicitly filtered from the stacktrace and exception reporting
This report shows that in erlang, because of the specific function call that is failing, the password is showing up in the logged exception.
I'd like to:
- Understand what is unique about this install / request that is causing login to fail. There is unexpected input here that is causing the Erlang process to crash
- Add functionality that hopefully prevents us from logging this information in the future
from chef-server.
@sdelano I don't know that my configuration is unique. I have chef-server-core rpm package installed on RHEL6.6.
I also configured chef to use LDAP authentication:
ldap['base_dn']='cn=users,cn=accounts,dc=compute,dc=internal'
ldap['host']='idm.us-west-2.compute.internal'
ldap['tls_enabled']=true
ldap['login_attribute']='uid'
ldap['bind_dn']='uid=chef-server,cn=sysaccounts,cn=etc,dc=compute,dc=internal'
ldap['bind_password']='xxxxxx'
nginx['ssl_certificate']='/etc/pki/tls/certs/chef-server.crt'
nginx['ssl_certificate_key']='/etc/pki/tls/certs/chef-server.key'
That's all the custom stuff I have. I run chef-manage on the same box as the chef-server-core-12 package.
I also have this strange issue that may be related to this. For some reason the first user in the system fails to login with the first login screen. It then presents:
Welcome! It looks like this is the first time you have logged into Chef using your AD/LDAP login. You may now link your account to proceed.
Link an Existing Chef Account
The user [myusername] is in use (probably by you).
This, of course it not the first time I have logged in. It is the user that I used to initialize the first organization in the system via chef-manage. Then I type my password for the second time. This is when my password is logged to the log file.
It then presents:
500
Smell something burning?
Sorry we have a small fire in the kitchen.
An unexpected error has occurred. Our staff are manning the fire extinguishers and have been alerted.
I click on the chef manage logo and I am now logged in and everything functions normally.
The second user I create doesn't have this issue. I have destroyed and recreated the chef server multiple times, but this always happens.
I install by booting up a clean RHEL6.6 image.
I install the chef-server-core rpm.
I edit /etc/chef-server.rb file and add my LDAP config.
Then I do:
# chef-server-ctl reconfigure' command.
# chef-server-ctl install opscode-manage
# opscode-manage-ctl reconfigure
# chef-server-ctl reconfigure
I then try to login to chef manage. I create my new organization and everything looks good. I logout and I now have the account link issue each time I login.
from chef-server.
I believed the code path that led to this error was fixed with #119. That fix should ship in the next Chef Server release.
from chef-server.
A way to do this would be to keep the cleartext password around for the minimal amount of time possible and convert to the brcypt version as soon as possible and pass that around through the request.
from chef-server.
executed the chef-server-ctl cleanup command to resolve this issue as part of the post installation.
from chef-server.
I believe this bug was fixed in 12.9.0+ (commit a5b9716). It may be the case that other paths also log passwords. If you see any such cases, please open a bug with an example so we can track it down.
from chef-server.
Related Issues (20)
- Installing chef-manage via chef-server-ctl is not working HOT 1
- chef-server-ctl user-create with prompt for password is broken HOT 1
- Upgrade to rails 7 and ruby 3+ in oc-id HOT 2
- OCID: profile email update is throwing error
- New nodes aren't indexed but are known to Chef-Server (Version 14) HOT 7
- Update the version of Chef server in Automate HOT 1
- Unable to upload/delete cookbook with Chef Admin account
- Chef Automate 2022-01 failing chef-server-ctl test HOT 1
- Chef Client Range Search Unexpected Results HOT 4
- API Endpoints to update client certs not accessible PUT HOT 1
- Cookbook parsing fails on restore knife ec backup/restore. HOT 1
- embedded knife commands show warnings HOT 1
- Incorrect metadata in a cookbook causes all client runs on nodes in that org to fail, irrespective of them using the cookbook in question. HOT 1
- Update External Opensearch documentation with the user permissions required for Chef to work correctly with Opensearch. HOT 1
- chef-server-ctl test in failing in FIPS enabled Amazon Linux 2 system. HOT 1
- Chef server install fails at "add internal user to opensearch security plugin" on local proxmox host but not AWS HOT 2
- Unable to `chef-server-ctl reconfigure` a new 15.3.2 install on Ubuntu 22.04 HOT 8
- Cookbook with invalid dependencies causes ALL Chef client runs to begin failing (even on nodes that do not use the cookbook in question) HOT 4
- New OpenSSL requirements in RHEL 9 in fips mode [RHSA-2023:3722-01], cannot connect to Chef Server anymore with no EMS support
- Chef search results are limited to 10,000 records when using external OpenSearch 1.3.x regardless of max_result_window
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chef-server.