CLI and API
OpenStack CLI python clients require a username and password supplied to
perform a request.
The OpenStack CLI client can authenticate a user in several ways by using:
- The
OS_USERNAME
and OS_PASSWORD
environment variables that may
result in information disclosure and EoP.
- The OpenStack RC file, which you can download from the Dashboard with
environment variables already set for a user. However, storing credentials
into unencrypted files on a disk is prohibited and may result in information
disclosure and EoP.
OpenStackClient
that supports authentication:
- by typing password for each request
- with the provisioned authentication token
To avoid risk of revealing passwords, use OpenStackClient
.
To use old OpenStack CLI Python clients, perform EoP mitigation steps
described below:
- To access OpenStack API through OpenStack python CLI clients,
dedicate additional node or virtual machine, place it into separate
internal DMZ and use it solely only for this purpose (a jump host).
- On this node disable all unnecessary services and disable SFTP service,
or make SSH/SFTP only accessible from dedicated, trusted network segment.
- On this node, consider using grsecurity patched kernel.
- Implement bash or other shell script that will wrap standard OpenStack
python CLI clients and will require password to be entered for each run.
Supplied password will set environment variable and unset it after every
run.
- Disable shell history for all users.