[SERVER-5468] sslPEMKeyPassword Should not be visible in logs and similar Created: 01/Apr/12  Updated: 11/Jul/16  Resolved: 06/Jun/12

Status: Closed
Project: Core Server
Component/s: Logging, Security
Affects Version/s: 2.0.4, 2.1.0
Fix Version/s: 2.1.2

Type: Improvement Priority: Minor - P4
Reporter: Adam Comerford Assignee: Matt Dannenberg
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

SSL Enabled Build


Participants:

 Description   

Currently, the sslPEMKeyPassword is visible as plain text. While this is not a direct compromise of the key, it goes against best practices for exposure of passwords in logs and non-privileged commands.



 Comments   
Comment by auto [ 06/Jun/12 ]

Author:

{u'login': u'dannenberg', u'name': u'Matt Dannenberg', u'email': u'dannenberg.matt@gmail.com'}

Message: SERVER-5468 --sslPEMKEYPassword is no longer visible in logs and similar

Signed-off-by: Spencer T Brody <spencer@10gen.com>
Branch: master
https://github.com/mongodb/mongo/commit/35555727b51aadfb1fc2ce7ec741eac742ee1b17

Comment by Adam Comerford [ 01/Apr/12 ]

The sslPEMKeyPassword is available in plain text in several places. For example in the output of the db.runCommand(

{"getCmdLineOpts" : 1}

) you can see that the password is printed twice:

{
        "argv": [
            "/home/adam/git/mongo/mongod",
            "--port",
            "27019",
            "--dbpath",
            "/data/db/replset/rs_2",
            "--replSet",
            "ssltest/vs-asylum:27017,vs-asylum:27018",
            "--rest",
            "--sslOnNormalPorts",
            "--sslPEMKeyFile",
            "/home/adam/test.pem",
            "--sslPEMKeyPassword",
            "mongo",
            "--oplogSize",
            "100"
        ],
        "ok": 1,
        "parsed": {
            "dbpath": "/data/db/replset/rs_2",
            "oplogSize": 100,
            "port": 27019,
            "replSet": "ssltest/vs-asylum:27017,vs-asylum:27018",
            "rest": true,
            "sslOnNormalPorts": true,
            "sslPEMKeyFile": "/home/adam/test.pem",
            "sslPEMKeyPassword": "mongo"
        }
}

Generated at Thu Feb 08 03:08:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.