OpenStack CLI python clients require a username and password supplied to perform a request. The OpenStack CLI client can authenticate a user in several ways by using:

  • The OS_USERNAME and OS_PASSWORD environment variables that may result in information disclosure and EoP.
  • The OpenStack RC file, which you can download from the Dashboard with environment variables already set for a user. However, storing credentials into unencrypted files on a disk is prohibited and may result in information disclosure and EoP.
  • OpenStackClient that supports authentication:
    • by typing password for each request
    • with the provisioned authentication token

To avoid risk of revealing passwords, use OpenStackClient. To use old OpenStack CLI Python clients, perform EoP mitigation steps described below:

  • To access OpenStack API through OpenStack python CLI clients, dedicate additional node or virtual machine, place it into separate internal DMZ and use it solely only for this purpose (a jump host).
  • On this node disable all unnecessary services and disable SFTP service, or make SSH/SFTP only accessible from dedicated, trusted network segment.
  • On this node, consider using grsecurity patched kernel.
  • Implement bash or other shell script that will wrap standard OpenStack python CLI clients and will require password to be entered for each run. Supplied password will set environment variable and unset it after every run.
  • Disable shell history for all users.