Skip to content

HMAC Signatures and API Keys Logged in Plaintext Across Authentication Components #12006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
YLChen-007 wants to merge 4 commits into from
Closed

HMAC Signatures and API Keys Logged in Plaintext Across Authentication Components #12006

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f9a6394
remove log out sensitive information
YLChen-007 Nov 6, 2025
c18a163
sensitive information (passwords, database credentials, authenticatio…
YLChen-007 Nov 6, 2025
15b1cd8
Update engine/schema/src/main/java/com/cloud/upgrade/DatabaseCreator.…
YLChen-007 Nov 7, 2025
a98887b
Update core/src/main/java/com/cloud/storage/template/HttpTemplateDown…
YLChen-007 Nov 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -331,7 +331,7 @@ private void launchConsoleProxy(final byte[] ksBits, final String ksPassword, fi
final Object resource = this;
logger.info("Building class loader for com.cloud.consoleproxy.ConsoleProxy");
if (consoleProxyMain == null) {
logger.info("Running com.cloud.consoleproxy.ConsoleProxy with encryptor password={}", encryptorPassword);
logger.info("Running com.cloud.consoleproxy.ConsoleProxy with encryptor password={}", "******");
Copy link
Contributor

@DaanHoogland DaanHoogland Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
logger.info("Running com.cloud.consoleproxy.ConsoleProxy with encryptor password={}", "******");
logger.info("Running com.cloud.consoleproxy.ConsoleProxy with encryptor password=******");

consoleProxyMain = new Thread(new ManagedContextRunnable() {
@Override
protected void runInContext() {
Expand Down
2 changes: 1 addition & 1 deletion core/src/main/java/com/cloud/storage/template/HttpTemplateDownloader.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ private void checkCredentials(String user, String password) {
client.getParams().setAuthenticationPreemptive(true);
Credentials defaultcreds = new UsernamePasswordCredentials(user, password);
client.getState().setCredentials(new AuthScope(hostAndPort.first(), hostAndPort.second(), AuthScope.ANY_REALM), defaultcreds);
logger.info("Added username=" + user + ", password=" + password + "for host " + hostAndPort.first() + ":" + hostAndPort.second());
logger.info("Added username={}, password=****** for host {}:{}”, user, hostAndPort.first(), hostAndPort.second());
} else {
logger.info("No credentials configured for host=" + hostAndPort.first() + ":" + hostAndPort.second());
}
Expand Down
2 changes: 1 addition & 1 deletion engine/schema/src/main/java/com/cloud/upgrade/DatabaseCreator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ private static void initDB(String dbPropsFile, String rootPassword, String[] dat
String username = dbProperties.getProperty(String.format("db.%s.username", database));
String password = dbProperties.getProperty(String.format("db.%s.password", database));
String dbName = dbProperties.getProperty(String.format("db.%s.name", database));
System.out.println(String.format("========> Initializing database=%s with host=%s port=%s username=%s password=%s", dbName, host, port, username, password));
System.out.println(String.format("========> Initializing database=%s with host=%s port=%s username=%s password=******", dbName, host, port, username));

List<String> queries = new ArrayList<String>();
queries.add(String.format("drop database if exists `%s`", dbName));
Expand Down
4 changes: 2 additions & 2 deletions .../baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalDnsmasqResource.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,10 @@ public boolean configure(String name, Map<String, Object> params) throws Configu
com.trilead.ssh2.Connection sshConnection = null;
try {
super.configure(name, params);
logger.debug(String.format("Trying to connect to DHCP server(IP=%1$s, username=%2$s, password=%3$s)", _ip, _username, _password));
logger.debug(String.format("Trying to connect to DHCP server(IP=%1$s, username=%2$s, password=%3$s)", _ip, _username, "******"));
sshConnection = SSHCmdHelper.acquireAuthorizedConnection(_ip, _username, _password);
if (sshConnection == null) {
throw new ConfigurationException(String.format("Cannot connect to DHCP server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password));
throw new ConfigurationException(String.format("Cannot connect to DHCP server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, "******"));
}

if (!SSHCmdHelper.sshExecuteCmd(sshConnection, "[ -f '/usr/sbin/dnsmasq' ]")) {
Expand Down
4 changes: 2 additions & 2 deletions ...metal/src/main/java/com/cloud/baremetal/networkservice/BaremetalKickStartPxeResource.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ private Answer execute(VmDataCommand cmd) {
sshConnection.connect(null, 60000, 60000);
if (!sshConnection.authenticateWithPassword(_username, _password)) {
logger.debug("SSH Failed to authenticate");
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password));
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, "******"));
}

String script = String.format("python /usr/bin/baremetal_user_data.py '%s'", arg);
Expand Down Expand Up @@ -167,7 +167,7 @@ private Answer execute(PrepareKickstartPxeServerCommand cmd) {
sshConnection.connect(null, 60000, 60000);
if (!sshConnection.authenticateWithPassword(_username, _password)) {
logger.debug("SSH Failed to authenticate");
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password));
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, "******"));
}

String copyTo = String.format("%s/%s", _tftpDir, cmd.getTemplateUuid());
Expand Down
6 changes: 3 additions & 3 deletions .../baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ protected PreparePxeServerAnswer execute(PreparePxeServerCommand cmd) {
sshConnection.connect(null, 60000, 60000);
if (!sshConnection.authenticateWithPassword(_username, _password)) {
logger.debug("SSH Failed to authenticate");
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password));
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, "******"));
}

String script =
Expand Down Expand Up @@ -179,7 +179,7 @@ protected Answer execute(PrepareCreateTemplateCommand cmd) {
sshConnection.connect(null, 60000, 60000);
if (!sshConnection.authenticateWithPassword(_username, _password)) {
logger.debug("SSH Failed to authenticate");
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password));
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, "******"));
}

String script =
Expand Down Expand Up @@ -237,7 +237,7 @@ private Answer execute(VmDataCommand cmd) {
sshConnection.connect(null, 60000, 60000);
if (!sshConnection.authenticateWithPassword(_username, _password)) {
logger.debug("SSH Failed to authenticate");
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password));
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, "******"));
}

String script = String.format("python /usr/bin/baremetal_user_data.py '%s'", arg);
Expand Down
2 changes: 1 addition & 1 deletion server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -534,7 +534,7 @@ private boolean verifyRequest(Map<String, Object[]> requestParameters) {
// if api/secret key are passed to the parameters
if ((signature == null) || (apiKey == null)) {
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("expired session, missing signature, or missing apiKey -- ignoring request...sig: " + signature + ", apiKey: " + apiKey);
LOGGER.debug("expired session, missing signature, or missing apiKey -- ignoring request");
Copy link
Contributor

@DaanHoogland DaanHoogland Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do you consider this one harmful? if so, this is going over the connection as well. The apikey should not be a secret and the signature is generated from the apikey and the secretkey so should not give any information.

Copy link
Contributor Author

@YLChen-007 YLChen-007 Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DaanHoogland Thank you for the feedback. While I agree that HMAC signatures are
cryptographically secure, I believe logging them still poses security risks:

Key concerns:

  1. Log files ≠ Network transmission: Logs are persistent, often stored in plaintext, and accessible to more parties (developers, ops, log aggregation systems) than encrypted HTTPS traffic.

  2. Replay attack window: If logs are compromised during the signature's validity period, attackers could potentially replay the request.

  3. API Key enumeration: Logging API Keys reveals which accounts exist, enabling targeted attacks and violating information disclosure principles.

  4. Compliance & Best Practice: OWASP and security standards recommend against logging authentication credentials, even derived ones like signatures.

  5. Defense in depth: Even if theoretically safe, removing sensitive data from logs reduces attack surface at minimal cost.

Suggested approach:

  • Keep the sanitized logging (no signature/apiKey in output)
  • If debugging is needed, log only partial values (e.g., first 8 chars)

This aligns with the principle of least privilege and real-world security practices.

Copy link
Contributor

@DaanHoogland DaanHoogland Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, @YLChen-007 makes sense.

}
return false; // no signature, bad request
}
Expand Down
3 changes: 2 additions & 1 deletion server/src/main/java/com/cloud/user/AccountManagerImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3006,7 +3006,8 @@ private UserAccount getUserAccountForSSO(String username, Long domainId, Map<Str

if ((signature == null) || (timestamp == 0L)) {
if (logger.isDebugEnabled()) {
logger.debug("Missing parameters in login request, signature = " + signature + ", timestamp = " + timestamp);
logger.debug("Missing parameters in login request, signature present: " +
(signature != null) + ", timestamp = " + timestamp);
}
return null;
}
Expand Down
Loading
Loading