As reported:
https://bugs.launchpad.net/keystone/+bug/1168252
The password configuration of LDAP and admin_token in keystone.conf
should be secret to protect security information:
[ldap]
# url = ldap://localhost
# user = dc=Manager,dc=example,dc=com
# password = None <- should be secrect
# suffix = cn=example,cn=com
# use_dumb_member = False
# allow_subtree_delete = False
# dumb_member = cn=dumb,dc=example,dc=com
[DEFAULT]
admin_token = passw0rd <- should be secrect
Red Hat has a modified installer, we install the file as:
- -rw-------. 1 keystone keystone 10235 Apr 19 00:21
/etc/keystone/keystone.conf
Unfortunately when we hardened our installer I didn't check the
upstream distribution for the same flaw, something I should have done.
I'm now going to review the other hardening we did to ensure upstream
is aware of these potential problems.
- --
Kurt Seifried Red Hat Security Response Team (SRT)