[SERVER-11230] sslPEMKeyPassword is exposed through task manager on Windows Created: 17/Oct/13  Updated: 10/Dec/14  Resolved: 18/Oct/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Luke Lovett Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Running on Windows 2008 Server R2,
Mongodb version (git hash): 1ea7e56cb2b8653d4b0453f04728033df34be9e1 (from 10/15)


Attachments: PNG File Screen Shot 2013-10-16 at 5.01.43 PM.png     File ca_377.pem     File client_password.pem    
Issue Links:
Depends
Operating System: Windows
Steps To Reproduce:

1. Launch a mongod with a sslPEMKeyFile that requires a password. Provide the password through sslPEMKeyPassword.

mongod --sslMode sslOnly --sslPEMKeyFile libs/client_password.pem --sslCAFile libs/ca_377.pem --sslPEMKeyPassword "asdf" --dbpath data/db

2. Open the Task Manager. Show the command line by going to View --> Select Columns... and making sure "Command Line" is checked.
3. You can see the password exposed, as in the screenshot.

Participants:

 Description   

The argument to sslPEMKeyPassword can be revealed through the task manager on Windows. See the screenshot.



 Comments   
Comment by Andy Schwerin [ 18/Oct/13 ]

This is just the nature of the Windows process manager.

Comment by Daniel Pasette (Inactive) [ 17/Oct/13 ]

i'm not sure we can avoid this currently if user does not use prompt

Generated at Thu Feb 08 03:25:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.