Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Erchef dumps LDAP password #156

Closed
Roviluca opened this issue Apr 29, 2015 · 6 comments
Closed

Erchef dumps LDAP password #156

Roviluca opened this issue Apr 29, 2015 · 6 comments

Comments

@Roviluca
Copy link

Hello,

i have upgrade our standalone chef server 12.0.2 to 12.0.8 along with opscode-manage in order to fix bug #66 . After the upgrade, we will still getting the 500 error for the existing users, while troubleshooting the problem we found out that the password was dumped into the logs.
Below i pasted the logs (i removed the passwords).

==> /var/log/opscode/opscode-erchef/crash.log <==
2015-04-29 16:23:38 =ERROR REPORT====
{<<"method=POST; path=/authenticate_user; status=500; ">>,{error,{error,badarg,[{erlang,iolist_to_binary,[[null,"--",<<"PASSWORD_REMOVED_BY_ME">>,"--"]],[]},{crypto,hash,2,[{file,"crypto.erl"},{line,228}]},{chef_password,sha1,3,[{file,"src/chef_password.erl"},{line,104}]},{chef_password,verify,2,[{file,"src/chef_password.erl"},{line,92}]},{oc_chef_wm_authenticate_user,verify_user,5,[{file,"src/oc_chef_wm_authenticate_user.erl"},{line,99}]},{oc_chef_wm_authenticate_user,process_post,2,[{file,"src/oc_chef_wm_authenticate_user.erl"},{line,87}]},{webmachine_resource,resource_call,3,[{file,"src/webmachine_resource.erl"},{line,186}]},{webmachine_resource,do,3,[{file,"src/webmachine_resource.erl"},{line,142}]}]}}}

==> /var/log/opscode/opscode-erchef/erchef.log <==
2015-04-29 16:23:38.754 [error] {<<"method=POST; path=/authenticate_user; status=500; ">>,{error,{error,badarg,[{erlang,iolist_to_binary,[[null,"--",<<"PASSWORD_REMOVED_BY_ME">>,"--"]],[]},{crypto,hash,2,[{file,"crypto.erl"},{line,228}]},{chef_password,sha1,3,[{file,"src/chef_password.erl"},{line,104}]},{chef_password,verify,2,[{file,"src/chef_password.erl"},{line,92}]},{oc_chef_wm_authenticate_user,verify_user,5,[{file,"src/oc_chef_wm_authenticate_user.erl"},{line,99}]},{oc_chef_wm_authenticate_user,process_post,2,[{file,"src/oc_chef_wm_authenticate_user.erl"},{line,87}]},{webmachine_resource,resource_call,3,[{file,"src/webmachine_resource.erl"},{line,186}]},{webmachine_resource,do,3,[{file,"src/webmachine_resource.erl"},{line,142}]}]}}}

==> /var/log/opscode/nginx/access.log <==
127.0.0.1 - - [29/Apr/2015:16:23:38 +0200]  "POST /authenticate_user HTTP/1.1" 500 "0.025" 36 "-" "Chef Manage/11.16.2 (ruby-2.1.5-p273; ohai-7.4.0; x86_64-linux; +http://opscode.com)" "127.0.0.1:8000" "500" "0.020" "11.16.2" "algorithm=sha1;version=1.0;" "pivotal" "2015-04-29T14:23:38Z" "REMOVED_BY_ME" 1130

==> /var/log/opscode/opscode-erchef/current <==
2015-04-29_14:23:38.76315 [error] {<<"method=POST; path=/authenticate_user; status=500; ">>,{error,{error,badarg,[{erlang,iolist_to_binary,[[null,"--",<<"PASSWORD_REMOVED_BY_ME">>,"--"]],[]},{crypto,hash,2,[{file,"crypto.erl"},{line,228}]},{chef_password,sha1,3,[{file,"src/chef_password.erl"},{line,104}]},{chef_password,verify,2,[{file,"src/chef_password.erl"},{line,92}]},{oc_chef_wm_authenticate_user,verify_user,5,[{file,"src/oc_chef_wm_authenticate_user.erl"},{line,99}]},{oc_chef_wm_authenticate_user,process_post,2,[{file,"src/oc_chef_wm_authenticate_user.erl"},{line,87}]},{webmachine_resource,resource_call,3,[{file,"src/webmachine_resource.erl"},{line,186}]},{webmachine_resource,do,3,[{file,"src/webmachine_resource.erl"},{line,142}]}]}}}
@stevendanna
Copy link
Contributor

@Roviluca Thanks for the bug report. Our support team (support@chef.io) should be able to help you fix up your existing users.

I'll take a look at whether there is a way we can surpress this info even in the case of a bad user record.

@Roviluca
Copy link
Author

The problem that was affecting the chef server was that inside the user information there was 'null' value into the external user account, we solved that by backing up all the users and looking at all parameters.
the solution, in the end, was:

  1. backup users (json)
  2. fix the field "external_authentication_uid" removing null and setting the correct one
  3. restore the users

@stevendanna
Copy link
Contributor

@Roviluca Yup. Support would have take you more or less through the same procedure. I believe that we fixed the bug that can put users in that state, but because we don't know what the external_authentication_uid is supposed to be, existing users are still affected. Glad you got it sorted out.

@marcparadise marcparadise mentioned this issue May 4, 2015
Closed
@jeremiahsnapp
Copy link
Contributor

@stevendanna I'm running Chef Server 12.1.0 and erchef still logs the password when logging into a broken user account.

@stevendanna
Copy link
Contributor

@jeremiahsnapp Correct, we haven't fixed the underlying problem with the LDAP password still being dumped in the case of broken accounts, which is why this bug is still open.

@marcparadise
Copy link
Member

This is resolved with #900

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeremiahsnapp @stevendanna @marcparadise @Roviluca