Issue #6857 has been updated by Ben Hughes. Status changed from Investigating to Ready For Testing Branch set to https://github.com/barn/puppet
Have pushed a version to try this to https://github.com/barn/puppet/tree/tickets/2.6.x/6857-password-disclosure-when-changing-a-users-password ---------------------------------------- Bug #6857: password disclosure when changing a user's password https://projects.puppetlabs.com/issues/6857 Author: Mark Heily Status: Ready For Testing Priority: Normal Assignee: Ben Hughes Category: Target version: Affected Puppet version: 2.6.4 Keywords: Branch: https://github.com/barn/puppet When puppet-agent changes a user's password in /etc/shadow, the hashed values of the old and new passwords are printed in a log message. An example: notice: /Stage[main]/User[root]/password: is $1$abcdef12$SeCrEtPaSSword, should be $1$cbgb133$VerySecretPassword This is a security risk, since Puppet log messages can be exposed to non-privileged users through a variety of mechanisms. It would be best if the passwords were stripped out of the log message, and replaced with something generic like this: notice: /Stage[main]/User[root]/password: should be changed -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
