Stop logging the plaintext password on a failed login#117
Merged
Conversation
cred_login() wrote an operator/SYSLOG message on a failed racf_login()
that included the attempted password in plaintext, e.g.
cred_login: racf_login("NOSUCHUS", "WRONGPW") failed, rc=28
This duplicated RAKF's own RAKF0004 audit message and leaked a plaintext
credential to the console and SYSLOG -- on a mistyped login that is the
real password, and endpoint-probing bots spam the log with password-
bearing lines. It also contradicts the credential package's own posture
of keeping the password Blowfish-encrypted at rest and never handing it
back in the clear.
Remove the message entirely: RAKF0004 already provides the failure audit
trail and the rc is returned to the caller. The surrounding internal-
error diagnostics (cred_array()/credkey() NULL, cred_new()/array_add()
failed, array full) are unaffected -- they are rare and carry no
sensitive data.
Fixes #116
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #116
Problem
cred_login()logged a failedracf_login()with the attempted password in plaintext to the operator console and SYSLOG:Two issues: it duplicates RAKF's own
RAKF0004audit message, and it leaks a plaintext credential (on a typo that is the real password; probing bots spam the log). This contradicts the package's posture of keeping the password Blowfish-encrypted at rest (#96/#97/#99).Fix
Remove the
wtofatcredlin.c:71-72(Option A).RAKF0004provides the audit trail; thercis still returned to the caller (resolve_credential→cred==NULL→ 401).rcremains used by the laterarray_addpath, so no unused-variable warning.Scope / audit
Audited the rest of the credential package: this is the only active log that was duplicate/sensitive. The other
credlin.c/credinit.c/credfrea.cmessages are rare non-sensitive error diagnostics (kept), and thehttpcred.cprocess_*()traces are already#if 0-disabled. TheHTTPD007I/008I/008Wlogin/logout audit lines log userid+IP only (no password) and are kept.Verification
One-line deletion inside an existing
ifblock; no logic change. clangd shows no new diagnostics; CI builds the credential package under the real cc370-Werror.