Bug ID 1225432
Summary [Agama][Milestone8+] iSCSI Discovery Passwords are logged into y2log in plain text
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Installation
Assignee yast2-maintainers@suse.de
Reporter locilka@suse.com
QA Contact jsrain@suse.com
Target Milestone ---
Found By ---
Blocker --- 

Created attachment 875149 [details]
Snippet of the log

When iSCSI Targets are being discovered in Agama, the iSCSI library logs all
the details. Sadly, also including passwords.

How to reproduce? Easily

-> Start Agama Installer
-> Go to Storage details
-> Click Prepare devices by configuring advanced storage technologies
-> Choose iSCSI
-> Click Discover iSCSI targets
-> Fill-up some users/passwords
-> Click Confirm

This will be most probably the same in YaST as well because it uses the same
library. BTW, there are two entries for user/password, but you can see only the
first one in the log. That's most probably because the second one would be used
later, if the first one succeeds (not my case).

Additionally, even the save_y2logs script does not remove the passwords. maybe
because the string in the log this:

{"name"=>"discovery.sendtargets.auth.password", "value"=>"and their password",
"kind"=>"value", "type"=>1, "comment"=>""}

You are receiving this mail because: