[OSSA-2013-013] Updating password via keystoneclient CLI should be done securely (CVE-2013-2013)

adapaka - how are you doing on resolving this bug? Since you assigned it to yourself, I'm assuming you're trying to do that. If not, I'll move it back to unassigned.

Related blueprint https://blueprints.launchpad.net/keystone/+spec/prompt-for-password

Fix proposed to branch: master
Review: https://review.openstack.org/12669

For the record, posted a patch for review.
For backward compatibility and support automated environment, retained current functionality. That said, with the new patch, user can either specify new password in command line, or enter using the prompt.

Assigned a CVE for this as per http://openwall.com/lists/oss-security/2013/04/26/6

While auditing OpenStack bugs for flaws needing CVE's I came across
this (as of yet unfixed) one:

https://bugs.launchpad.net/python-keystoneclient/+bug/938315

[root@...s ~]# keystone user-password-update --user=jake
usage: keystone user-password-update --pass <password> <user-id>
keystone user-password-update: error: too few arguments

This class of vuln typically gets a CVE.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=command+line+password

CVE text:

OpenStack keystone places a username and password on the command line,
which allows local users to obtain credentials by listing the process.

Please use CVE-2013-2013 for this issue.

Could make sense to release a security advisory for this one when fixed. That would be our first for a client library/CLI...

@Bhuvan: care to revive your proposed patch ?

Looks like we'll have to find someone else to revive that patch.

If no one else is working on this, I can take a look. Do we have to revive the old patch or, can i come up with some thing different.

@Pradeep: you can definitely come up with something different. reading from the original proposal it wasn't exactly perfect or approved yet.

Thanks! I'll get started on this.

Fix proposed to branch: master
Review: https://review.openstack.org/28686

Fix proposed to branch: master
Review: https://review.openstack.org/28702

Reviewed: https://review.openstack.org/28702
Committed: http://github.com/openstack/python-keystoneclient/commit/f2e0818bc97bfbeba83f6abbb07909a8debcad77
Submitter: Jenkins
Branch: master

commit f2e0818bc97bfbeba83f6abbb07909a8debcad77
Author: Pradeep Kilambi <email address hidden>
Date: Thu May 9 09:29:02 2013 -0700

    Allow secure user password update.

    This patch allows the ability for user password to be updated via
    a command prompt so the password doesnt show up in the bash history.
    The prompted password is asked twice to verify the match.
    If user cntl-D's the prompt a message appears suggesting user to use
    either of the options to update the password.

    Fixes: bug#938315

    Change-Id: I4271ae569b922f33c34f9b015a7ee6f760414e39

Proposed impact description...

    Title: Keystone client local information disclosure
    Reporter: Jake Dahn (Nebula)
    Products: python-keystoneclient
    Affects: All versions

    Description:
    Jake Dahn from Nebula reported a vulnerability that the keystone
    client only allows passwords to be updated in a clear text
    command-line argument, which may enable other local users to obtain
    sensitive information by listing the process and potentially leaves
    a record of the password within the shell command history.

+1 to impact desc

+1, description sounds good to me, too

OSSA-2013-013.
Still needs to be pushed to openstack-announce.