Gerrit/LDAP password in error_log log file when debugging
338 views
Skip to first unread message
Leigh Grealis
Feb 21, 2017, 9:00:12 AM2/21/17
to Repo and Gerrit Discussion
Hi Group,
Gerrit 2.13.2
I was looking into ways of recording Gerrit login times in the logs files when I stumbled on something which doesn't seem right.
I've set debug level logging with:
ssh -p 29418 <user>@<server> gerrit logging set-level debug
The idea being that this would show me the package which I would need to set to debug level if I wanted to track in production.
I found that there's an entry that indicates my login ID, timestamp and could be then used to collect last login time and other info.
[gerrit@host logs]$ tail -f error_log | grep -i "username="
[2017-02-21 13:58:05,289] [HTTP-5745 - /gerrit/login/%23%2Fq%2Fstatus%3Aopen] DEBUG org.eclipse.jetty.http.HttpParser : parseNext s=CONTENT HeapByteBuffer@18d883a1[p=2668,l=2707,c=8192,r=39]={POST /gerrit/logi...-Length: 39\r\n\r\n<<<username=lgrealis...rd=PASSWORD>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
The worrying bit for me is:
{POST /gerrit/logi...-Length: 39\r\n\r\n<<<username=lgrealis...rd=PASSWORD>>>
I've changed my password above of course but it was basically dumping my password (with encoding) into the log file bare text.
Given that it's dumping out the password I am a little reluctant to use this as a solution to what I need to do, but is this something that we should accept is bad? In this case the user account is tied to a corporate LDAP and that will ring all sorts of alarm bells if corporate LDAP passwords can get into bare text files on servers...
My thought is this may not be Gerrit code doing this - the ultimate code doing this is Jetty but maybe the password should be obfuscated if at all possible...
Any thoughts?
Regards,
Leigh
Gerrit 2.13.2
I was looking into ways of recording Gerrit login times in the logs files when I stumbled on something which doesn't seem right.
I've set debug level logging with:
ssh -p 29418 <user>@<server> gerrit logging set-level debug
The idea being that this would show me the package which I would need to set to debug level if I wanted to track in production.
I found that there's an entry that indicates my login ID, timestamp and could be then used to collect last login time and other info.
[gerrit@host logs]$ tail -f error_log | grep -i "username="
[2017-02-21 13:58:05,289] [HTTP-5745 - /gerrit/login/%23%2Fq%2Fstatus%3Aopen] DEBUG org.eclipse.jetty.http.HttpParser : parseNext s=CONTENT HeapByteBuffer@18d883a1[p=2668,l=2707,c=8192,r=39]={POST /gerrit/logi...-Length: 39\r\n\r\n<<<username=lgrealis...rd=PASSWORD>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
The worrying bit for me is:
{POST /gerrit/logi...-Length: 39\r\n\r\n<<<username=lgrealis...rd=PASSWORD>>>
I've changed my password above of course but it was basically dumping my password (with encoding) into the log file bare text.
Given that it's dumping out the password I am a little reluctant to use this as a solution to what I need to do, but is this something that we should accept is bad? In this case the user account is tied to a corporate LDAP and that will ring all sorts of alarm bells if corporate LDAP passwords can get into bare text files on servers...
My thought is this may not be Gerrit code doing this - the ultimate code doing this is Jetty but maybe the password should be obfuscated if at all possible...
Any thoughts?
Regards,
Leigh
UK Office: +44 (0) 845 459 9530
USA Office: +1 (215) 854 4055
David Pursehouse
Feb 22, 2017, 12:24:38 AM2/22/17
to Leigh Grealis, Repo and Gerrit Discussion
On Tue, Feb 21, 2017 at 11:00 PM Leigh Grealis <lgre...@clearvision-cm.com> wrote:
Hi Group,
Gerrit 2.13.2
I was looking into ways of recording Gerrit login times in the logs files when I stumbled on something which doesn't seem right.
I've set debug level logging with:
ssh -p 29418 <user>@<server> gerrit logging set-level debug
The idea being that this would show me the package which I would need to set to debug level if I wanted to track in production.
HttpLoginServlet is the gerrit class that handles logins.
I found that there's an entry that indicates my login ID, timestamp and could be then used to collect last login time and other info.
[gerrit@host logs]$ tail -f error_log | grep -i "username="
[2017-02-21 13:58:05,289] [HTTP-5745 - /gerrit/login/%23%2Fq%2Fstatus%3Aopen] DEBUG org.eclipse.jetty.http.HttpParser : parseNext s=CONTENT HeapByteBuffer@18d883a1[p=2668,l=2707,c=8192,r=39]={POST /gerrit/logi...-Length: 39\r\n\r\n<<<username=lgrealis...rd=PASSWORD>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
The worrying bit for me is:
{POST /gerrit/logi...-Length: 39\r\n\r\n<<<username=lgrealis...rd=PASSWORD>>>
I've changed my password above of course but it was basically dumping my password (with encoding) into the log file bare text.
Given that it's dumping out the password I am a little reluctant to use this as a solution to what I need to do, but is this something that we should accept is bad? In this case the user account is tied to a corporate LDAP and that will ring all sorts of alarm bells if corporate LDAP passwords can get into bare text files on servers...
My thought is this may not be Gerrit code doing this - the ultimate code doing this is Jetty but maybe the password should be obfuscated if at all possible...
As you mentioned, the log is coming from jetty:
org.eclipse.jetty.http.HttpParser
so I don't think we can completely stop it unless we patch jetty.
One way to work around it would be to completely disable logging from that jetty class by adding a line in log4j.properties, something like:
log4j.logger.org.eclipse.jetty.http.HttpParser=NONE
having said that, it's logging at level DEBUG and you probably shouldn't be enabling that long term on a production system anyway...
Any thoughts?
Regards,
Leigh
UK Office: +44 (0) 845 459 9530USA Office: +1 (215) 854 4055Save paper – think before you print! This E-mail and its attachments are strictly confidential. If you are not the intended addressee you may not copy, forward, disclose or use any part of this email or its associated attachments (if present). If you have received this message in error, please contact the sender immediately and delete all copies from your system. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for delivery, security or virus integrity nor for any errors or omissions
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Leigh Grealis
Feb 22, 2017, 4:07:36 AM2/22/17
to Repo and Gerrit Discussion
Thanks for your input David. I agree setting debug on a production system isn't a good idea.
I personally don't see the importance of persisting login date/time information in Gerrit but I work with plenty of organizations that feel it is useful information for them. Might investigate a simple login extension plugin which could add this feature but I doubt it'll be something that gets into core Gerrit any time soon if at all.
Thanks,
Leigh
I personally don't see the importance of persisting login date/time information in Gerrit but I work with plenty of organizations that feel it is useful information for them. Might investigate a simple login extension plugin which could add this feature but I doubt it'll be something that gets into core Gerrit any time soon if at all.
Thanks,
Leigh
Reply all
Reply to author
Forward
0 new messages