Clear text passwords in syslog #413
Comments
|
As an update, this seems to only happen when the password is not accepted and/or is incorrect. I ended up fixing my original issue of "wrong username/password or no answer at TCP:443" by adjusting my password complexity characteristics. Once SexiGraf was able to connect, the above error message(s) and syslog entry were no longer generated. Either way, any password should not be visible in a syslog. As in this case, a mis-typed user name could result in a correct password leak. |
|
Hi Richard and thank you for your support. Nice catch this one :) |
|
@richardkenyan can you confirm by swapping "verbose" to "error" in /opt/microsoft/powershell/7-lts/powershell.config.json you dont see password in syslog please? |
|
Sorry for the delay here, I never saw I had a message. GitHub is not my day to day thing =) |
I think I found an unexpected security issue. I was troubleshooting using a [email protected] account not authenticating. I opened up /var/log and did a cat on syslog to see if there were any errors relating to "wrong username/password or no answer at TCP:443."
In the process of reading through syslog, I discovered the SexiGraf vSphere Credential Store user passwords are in clear text.
I can log into my vCenters with my Read Only accounts without an issue, but I can't get SexiGraf to connect.
See screenshot of log.
This isn't a cert issue either. 1 vCenter has proper internal certs, 1 vCenter has default local cert, SexiGraf has local default cert and is new without any changes. v0.99k and vCenters 7.0u3.
The text was updated successfully, but these errors were encountered: