RabbitMQ logs password into the log

[Tim Bohlender]

Hello all together,

we had last friday a crash of our RabbitMQ Cluster. During the investigation in the logs we stumbled over some entries like this (I changed the IP and the username to obfuscate sensitive info)

2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>     supervisor: {<0.5294.2344>,rabbit_channel_sup}
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>     errorContext: shutdown_error
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>     reason: killed
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>     offender: [{pid,<0.5269.2344>},
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                {id,channel},
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                {mfargs,
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                    {rabbit_channel,start_link,
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                        [1,<0.18918.2333>,<0.5227.2344>,<0.18918.2333>,
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                         <<"10.257.321.5:12345 -> 10.257.321.92:1234">>,
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                         rabbit_framing_amqp_0_9_1,
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                         {user,<<"username">>,
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                             [monitoring,monitoring],
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                             [{rabbit_auth_backend_cache,
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                                  {impl,
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                                      "CN=LdapUserName,CN=Users,DC=Domain,DC=MoreDomain,DC=DomainTLD",
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                                      <<"PasswordInCleartext">>}}]},
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                         <<"/">>,
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                         [{<<"publisher_confirms">>,bool,true},
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                          {<<"exchange_exchange_bindings">>,bool,true},
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                          {<<"basic.nack">>,bool,true},
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                          {<<"consumer_cancel_notify">>,bool,true},
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                          {<<"connection.blocked">>,bool,true},
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                          {<<"authentication_failure_close">>,bool,true}],
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                         <0.18908.2333>,<0.5342.2344>]}},
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                {restart_type,intrinsic},
2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                {shutdown,70000},

2022-02-11 16:33:07.993000+01:00 [error] <0.5294.2344>                {child_type,worker}]

My expectation would be, there will be never any sensitiv data in the log (at least no passwords which are used for LDAP authentication). Is there something we should have configured to prevent this, or anything else which we might have done wrong, or is this like it is intended to be, that if the connection get interrupted, that also sensible information gets written into the logs?

With best regards
Tim

[Luke Bakken]

Hi Tim,

What version of RabbitMQ are you using?

Recent versions try to obfuscate this information but my guess is that this is one area that has been missed. If you would also attach your full configuration files (with passwords replaced with * or something) that would give a clear picture of how you're configuring the cache and LDAP plugins.

Thanks,

Luke

[Tim Bohlender]

Hi,

sorry for the very late answer, but I didn't notice your answer.

I've appended the config files, but there are no passwords included anyway. However, I've had a closer look at the config, and stumbled upon this entry in "advanced.config" 

{log, false}

Which actually should completely deactivate the logging of those LDAP stuff. Actually I looked up the possible options, and somehow one could end up thinking that instead of "false" the value "network_unsafe" was used (which wasn't the case).

Finally, regarding the RabbitMQ Version 

RabbitMQ: 3.9.9

Erlang: 24.1.5

With best regards

Tim

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/Toq7BRq2Npk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/5324693b-d735-47ca-ba0d-7d3e0b88eb5cn%40googlegroups.com.

[Luke Bakken]

Hi Tim,

Thanks for the information. I'm looking into how  rabbit_auth_backend_cache information got into that output.

Luke

[Luke Bakken]

Hi Tim,

It looks like you've found a case where we *might* be able to hide that data. I've created this issue to track it -

https://github.com/rabbitmq/rabbitmq-server/issues/4842

Of course, file permissions for the log files and server access are your best means of protection.

Luke

[Tim Bohlender]

Thank you very much, I will keep an eye on the issue, you've created

with best regards

Tim

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/Toq7BRq2Npk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/1b09a6a9-07ef-40bc-a260-22db8fb5dfban%40googlegroups.com.