OpenDaylight JIRA https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 [AAA-21] Security Issue in Restconf: Restconf config output produces user name and password in clear text https://jira.opendaylight.org/browse/AAA-21 aaa <p>I mounted couple of Netconf capable devices onto the ODL controller. Once I did that I wanted to get the config output of the<br/> 1. Entire controller ( As controller itself can be mounted as Netconf end point)<br/> 2. The configuration of the mounted device.</p> <p>For the first one I issued the following restconf URL.</p> <p><a href="http://10.18.161.79:8181/restconf/config/opendaylight-inventory:nodes/node/controller-config/yang-ext:mount/config:modules/" class="external-link" target="_blank" rel="nofollow noopener">http://10.18.161.79:8181/restconf/config/opendaylight-inventory:nodes/node/controller-config/yang-ext:mount/config:modules/</a></p> <p>This resulted in some configuration information of the mounted devices including the user name and password to access them.</p> <p>However the user name and password is in clear text which is a big security threat.</p> <p>Operating System: All<br/> Platform: All</p> AAA-21 Security Issue in Restconf: Restconf config output produces user name and password in clear text Bug Resolved Done Unassigned Balaji Varadaraju Fri, 24 Oct 2014 22:29:05 +0000 Thu, 21 Mar 2019 11:56:39 +0000 Wed, 7 Feb 2018 18:56:18 +0000 General 0 4 <p>Restconf is pure pass-thru function and has no knowledge which <br/> data are passwords and which are normal data.</p> <p>For config subsystem you could open enhancement to secure it on controller side.</p> <p>For leaking passwords from remote netconf devices it is security issue in that devices.</p> <p>THis seems as responsibility of AAA Authz Data Broker, which should filter out these leaves based on given authorization.</p> <p>As I mentioned before Restconf is pure pass-thru so it does do any processing<br/> to data except serialization / deserialization.</p> <p>This is a new feature request, as right now the AuthZ Broker Facade only operates on URL/DOM operation input. This is a valuable use case though, and will be prioritized during Boron planning.</p> <p>Fixed in NETCONF by providing encryption option there.</p> Development External issue ID 2251 External issue URL Issue Type ODL SR Target Milestone Rank 0|i023lz: