Password in logs

Question

Password in logs

jmart518 opened this issue a year ago · 2 comments

Hello,

I noticed that when a connection fails, the user password is displayed in plain text in the logs. Is it possible to remove or mask this?

Error: Unable to establish LAN session Error: Unable to establish IPMI v1.5 / RMCP session PHP message: Error occurred when running "ipmitool -H <redacted> -p 623 -U <redacted> -P <redacted> -I imb bmc info". Error loading interface imb PHP message: Error occurred when running "ipmitool -H <redacted> -p 623 -U <redacted> -P <redacted> -I open bmc info".

Answer 1 · 2023-11-21T09:23:20.000Z

I agree to some extent, though I think this isn't really an issue. Passwords in Home Assistant (and on any host really) is inherently insecure. If you can log in to a host, you can find stored passwords on the system. Even when the passwords are encrypted, the host needs the key to read them and thus can be retrieved also.

The more secure way of doing things, is by using API keys instead. As this isn't available in ipmi (as far as I know), we're stuck on using passwords.

Conclusion: It's probably good practise to mask passwords in the logs, as it makes it a bit harder to find.

Answer 2 · 2024-03-16T16:33:03.000Z

Fixed in 1.2.7