Skip to content

Stop logging the plaintext password on a failed login#117

Merged
mgrossmann merged 1 commit into
mainfrom
issue-116-no-password-in-log
Jul 6, 2026
Merged

Stop logging the plaintext password on a failed login#117
mgrossmann merged 1 commit into
mainfrom
issue-116-no-password-in-log

Conversation

@mgrossmann

Copy link
Copy Markdown
Contributor

Fixes #116

Problem

cred_login() logged a failed racf_login() with the attempted password in plaintext to the operator console and SYSLOG:

RAKF0004 INVALID ATTEMPT TO ACCESS SYSTEM:  USER:NOSUCHUS~
cred_login: racf_login("NOSUCHUS", "WRONGPW") failed, rc=28

Two issues: it duplicates RAKF's own RAKF0004 audit message, and it leaks a plaintext credential (on a typo that is the real password; probing bots spam the log). This contradicts the package's posture of keeping the password Blowfish-encrypted at rest (#96/#97/#99).

Fix

Remove the wtof at credlin.c:71-72 (Option A). RAKF0004 provides the audit trail; the rc is still returned to the caller (resolve_credentialcred==NULL → 401). rc remains used by the later array_add path, so no unused-variable warning.

Scope / audit

Audited the rest of the credential package: this is the only active log that was duplicate/sensitive. The other credlin.c/credinit.c/credfrea.c messages are rare non-sensitive error diagnostics (kept), and the httpcred.c process_*() traces are already #if 0-disabled. The HTTPD007I/008I/008W login/logout audit lines log userid+IP only (no password) and are kept.

Verification

One-line deletion inside an existing if block; no logic change. clangd shows no new diagnostics; CI builds the credential package under the real cc370 -Werror.

cred_login() wrote an operator/SYSLOG message on a failed racf_login()
that included the attempted password in plaintext, e.g.

  cred_login: racf_login("NOSUCHUS", "WRONGPW") failed, rc=28

This duplicated RAKF's own RAKF0004 audit message and leaked a plaintext
credential to the console and SYSLOG -- on a mistyped login that is the
real password, and endpoint-probing bots spam the log with password-
bearing lines. It also contradicts the credential package's own posture
of keeping the password Blowfish-encrypted at rest and never handing it
back in the clear.

Remove the message entirely: RAKF0004 already provides the failure audit
trail and the rc is returned to the caller. The surrounding internal-
error diagnostics (cred_array()/credkey() NULL, cred_new()/array_add()
failed, array full) are unaffected -- they are rare and carry no
sensitive data.

Fixes #116
@mgrossmann
mgrossmann merged commit 18f6f54 into main Jul 6, 2026
1 check passed
@mgrossmann
mgrossmann deleted the issue-116-no-password-in-log branch July 6, 2026 10:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

cred_login() logs the plaintext password on a failed login (duplicate of RAKF0004)

1 participant