Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clear text passwords in syslog #413

Open
richardkenyan opened this issue Nov 20, 2024 · 4 comments
Open

Clear text passwords in syslog #413

richardkenyan opened this issue Nov 20, 2024 · 4 comments

Comments

@richardkenyan
Copy link

I think I found an unexpected security issue. I was troubleshooting using a [email protected] account not authenticating. I opened up /var/log and did a cat on syslog to see if there were any errors relating to "wrong username/password or no answer at TCP:443."

In the process of reading through syslog, I discovered the SexiGraf vSphere Credential Store user passwords are in clear text.

I can log into my vCenters with my Read Only accounts without an issue, but I can't get SexiGraf to connect.

See screenshot of log.

This isn't a cert issue either. 1 vCenter has proper internal certs, 1 vCenter has default local cert, SexiGraf has local default cert and is new without any changes. v0.99k and vCenters 7.0u3.

Untitled 2

@richardkenyan
Copy link
Author

richardkenyan commented Nov 21, 2024

As an update, this seems to only happen when the password is not accepted and/or is incorrect. I ended up fixing my original issue of "wrong username/password or no answer at TCP:443" by adjusting my password complexity characteristics. Once SexiGraf was able to connect, the above error message(s) and syslog entry were no longer generated.

Either way, any password should not be visible in a syslog. As in this case, a mis-typed user name could result in a correct password leak.

@rschitz
Copy link
Member

rschitz commented Nov 21, 2024

Hi Richard and thank you for your support. Nice catch this one :)
I'll definitely prevent this function to logged!

rschitz added a commit that referenced this issue Nov 21, 2024
@rschitz
Copy link
Member

rschitz commented Nov 21, 2024

@richardkenyan can you confirm by swapping "verbose" to "error" in /opt/microsoft/powershell/7-lts/powershell.config.json you dont see password in syslog please?

@richardkenyan
Copy link
Author

Sorry for the delay here, I never saw I had a message. GitHub is not my day to day thing =)
I'll check out your request when I have a chance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants