search

dell / iDRAC-Redfish-Scripting

Python and PowerShell scripting for Dell EMC PowerEdge iDRAC REST API with DMTF Redfish
GNU General Public License v2.0
598 stars 276 forks source link

scripts leak password on the command line #220

Closed freedge closed 2 years ago

freedge commented 2 years ago

this is a general issue with the scripts in this repo

command looks like:

python3 ExportImportSSLCertificateREDFISH.py -u root -p "${PASS}"  ...

this is insecure as a user logged in on the same machine can see the password when running a ps command at the right time. The password also risk to be saved in bash history, and on my machines it will also be saved in an audit log.

there should be another mechanism (eg reading from a file) to provide the password. Thanks!

texroemer commented 2 years ago

Hi @freedge

For all python scripts, if you don't pass in -p argument, it will prompt you to enter the password which will not be echoed to the screen, saved in bash history.

Example:

root@SCPexport nfs]# ./ExportImportSSLCertificateREDFISH.py -ip 192.168.0.120 -u root --get-cert-types

**- Argument -p not detected, pass in iDRAC user root password:**

- Support cert type values for ExportSSLCertificate -

['CA', 'CSC', 'ClientTrustCertificate', 'Server']

- Support cert type values for ImportSSLCertificate -

['CA', 'CSC', 'ClientTrustCertificate', 'CustomCertificate', 'Server']

Thanks Tex

freedge commented 2 years ago

ah indeed! thanks for the feedback. Weird I did not see that before, my mistake.